samba-dsdb-modules-4.15.12+git.535.7750e5c95ef-150300.3.43.1 >  A c"p9| k(D"TxENc]>=g0S~~Y~\[\:þ7v8da˽Im!otvy T:6Nqyi@oZ$k\ *xD?Bq5wW&4JBPohSQ 6È w?yJgK=cPXa$Yr!}&2{H= U1('U׺r'}jZE4rEM:n\䓓K!ɋ322017d8af35a76b48c6480fe0f0a87b8e646bb8dc6dcb4011acb3f6a9b54680f6f46cd76a5c4394dd0c9d8691494832aeecc6499\c"p9|3|xϿNl`u񩵯9d(WdOܲ 'U{ +rA.zSW(-!T>k(*E=ke\AaKJΝ0NR]B^r(R#f~9h)pv4PYb͌%NXLFKp[[=Z"xqyF}6DGp\zeA?M@#ˀrr;p\ &wUi-V)=}f(|,L 0Z0>pAv\?vLd1 ? Q 7NT[-x- - ,- - M- |-0--,-xx)x(*O8*X9.`:?>ET@E\FEkGE-HF4-IF-XGYG \Gt-]H(-^JbJcKdL(eL-fL0lL2uLD-vL-we-xfx-yg,zuuvvvHCsamba-dsdb-modules4.15.12+git.535.7750e5c95ef150300.3.43.1Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.c!sheep55?pSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxx86_64rm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigX7Hxx(h H(HX(x(((xH@((H88(8I(XHYH(((8(HG(c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c 7f6489b56d5f971c9697fe5d9044a7b0536a362071a271bc4eb8a6ab5a4e546e76d58e243ecc941cf66124819e80681a97b5aef12202202c74d0bd27ce24f162c5b8f6ed8f012f19015062c5f03532d637849cf269aab286e4d4b25e770e307f94b10882509c0d6758c8d0ff4783291978fd78387af220c20e9e9094202b7d9a5c0c2534af893f786cfa62b81ef3f3b732dc976136788b55eb7a64c88448b8b039bf18c34d80ccd119bdd008293b4119d5eb4e4df07ca9bc6f1795d1e451e0880d9187b085fcbf3f6bdbbfbc8f0809a817637e6fe6a43a59337235f8f17d315f7770c21775a23e67c0222231d7ad12d81259ebae4a995266b42397da4eb9b5842fb939f598ee13581a3df55f65abe87f6a446eb1749bbd4563529f739c11b3c3ceaefef9d4aa8da2fea51f0c71d9be4aa01bee18f39542ff762348db05a9b503d881b317c7eafbd7b5522f8bb864556c64361160c85e48517ab3cc8b8fd210015b1f4b9cd497a34d508d46dc2296baeb4d3a58693a2abc1ca4f042bfd2e20ee8179ccef7fd811b5f457f57b2a69840caf1cd8fb04d1edfebce9762e3078161ec32dcaab339407ca7017cac400ac8232d25c97c39bf536544c3221219b951712e9ef200341533c1b51dc622bdc2da3bbc2f1fc2ac3ea75512b350c4639476916d5d1a9470a5342807c1c3621bab73840e719a432f28bb2c1b3ca63386eb6de60c3b7deb382d08eb95d670c985e594f2b5e93882cde3ab98fe0ce720cd12b0d5169f18c7fd97d751589ef9925a9869d627b87a966a8f49dd681eefb61bdf3bf98f878571c47a8246cb3344002da84b75e287b203f482607fbf82fda5505f3140ec50ea7f547878b3dab8bd3962a3fc25f054b2365839a7bb299eec0172da82c566e6f5e01d4228b812c274c4037d5ee28c90198f21208b47d7aa46e06f6dc893e81c3e129eb9c7d726a8a98f0bc1c5db0323a34659850d4c05be1d56b65c22cdc30ef337038f7d5ff306943e721d5df080dbcf6d305decb2909fcb95d5bbc97bb097c0ba5c38048cdafcdadbb58ddade11dc931e12ffc0b82543a9cb430975ed82958dfda1698147d7eba4074bd26167aa8bd4de28dfb92d6c7790d3c903aa49d0d3f078407df5632f7e52bfd8cd909c8a165ef2b435681c2df638e0512e19f622226073e5fb3ef0d410b203578b125265ad9e4fd4e99437a81b0f4bb93f26a252e7dc7f63c1a07f516f160211c9e01ce619243321af48d437e4a7d98d66b632b037753ff55e3ea9212bb2d3ac44c8c07c25438cf630e17ea45dbec3c64e8703310925a06c3c973e237bab754736e12c67c7340addb0ce5de0725c8bce8460f5dc950ceecfdc10c3bf2c79f834e8197cdd40def2f4fc66052c4f159c8b9758293eede04314513d361d23e928a06cae009bf942b73e7992776ff68c78cccae4c743b61b55808f910771203db4f0efc9f9bb432b216aeda6acbeb54e34617213ad0ff1873162e753468ecd944651e1965af97580a49753ca8ec963b21459beedbec14f2789330352bab82511a6b961924f73567d5500ab80d4fb28a90ad6434f4eb0bcc8ddf6e9a4bcba8031dffce77c9c24eee1f1523845c42281f0babf121e02d1d647b6c76b6f19bf7d1734cdd57de6d84aaa50111f0047d9fe258181ef4edceb0597556d4a3fd442020fa4c878a5015b634a7494b599d79d268506d07bfc0f79ab7bdb509b78201379c8298a7b1afb238f3cf22d42712f34d3c715eb6f8d78cbe283a64274353231055ecdb57887748cdf9ad97c5c4a1240e259969971c21026caddb7ec210ecdcf7dc9b66de68b00f97b025e66ed6eb455db60d0feafdee46d0f365483b5f4448f3549df6ff47b20936d1b849704306cb167393d5642c1a0279bbd8434fd2649fabb811dd7b91438718b5827f571a2deb3e867adceb263de65735c6cfb1142ad365675f128a112c9137444823ab2cca2f6d476a2924adf64f8d3205db8777335ea46dcbc5abcfe3b4b47d80458d0c9f3572cee8d45646621bcrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.12+git.535.7750e5c95ef-150300.3.43.1.src.rpmsamba-dsdb-modulessamba-dsdb-modules(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfiglibMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.0)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.12_GIT.535.7750E5C95EF150300.3.43.1_SUSE_OS15.0_X86_64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.33.0.4-14.6.0-14.0-15.2-14.15.12+git.535.7750e5c95ef4.14.3cctc5cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.denopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Update to version 4.15.3; (jsc#SLE-23329); + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- The username map [script] advice from CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails; (bsc#1192849); (bso#14901).- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899);- CVE-2020-25717: samba: A user on the domain can become root on domain members; (bsc#1192284); (bso#14556). - CVE-2020-25721: auth: Fill in the new HAS_SAM_NAME_AND_SID values; (bsc#1192505); (bso#14564). - CVE-2020-25718: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246);(bso#14558). - CVE-2020-25719: samba: AD DC Username based races when no PAC is given;(bsc#1192247);(bso#14561). - CVE-2020-25722: samba: AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues);(bsc#1192283); (bso#14564). - CVE-2021-3738: samba: crash in dsdb stack;(bsc#1192215); (bso#14468). - CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state;(bsc#1192214);(bso#14875).- CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos; (bsc#1014440); (bso#12444).- Update to 4.13.13 * rodc_rwdc test flaps;(bso#14868). * Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso#14642). * Python ldb.msg_diff() memory handling failure;(bso#14836). * "in" operator on ldb.Message is case sensitive;(bso#14845). * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). * Allow special chars like "@" in samAccountName when generating the salt;(bso#14874). * Fix transit path validation;(bso#12998). * Prepare to operate with MIT krb5 >= 1.20;(bso#14870). * rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). * Python ldb.msg_diff() memory handling failure;(bso#14836). * Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). - Update to 4.13.12 * Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). * Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Address flapping samba_tool_drs_showrepl test;(bso#14818). * Address flapping dsdb_schema_attributes test;(bso#14819). * An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). * Fix CTDB flag/status update race conditions(bso#14784). - Update to 4.13.11 * smbd: panic on force-close share during offload write; (bso#14769). * Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). * smbd: "deadtime" parameter doesn't work anymore;(bso#14783). * net conf list crashes when run as normal user;(bso#14787). * Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso#14607). * Start the SMB encryption as soon as possible;(bso#14793). * Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792).- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigsheep55 1669996806  !"#$%&'()*+,-4.15.12+git.535.7750e5c95ef-150300.3.43.14.15.12+git.535.7750e5c95ef-150300.3.43.1acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27033/SUSE_SLE-15-SP3_Update/f968e6c693d465d247e96f210be85c5c-samba.SUSE_SLE-15-SP3_Updatecpioxz5x86_64-suse-linux  !"#$%&'()*+,ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0459353e2431067893a03cac4e3e0f2a0fb6b3db, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=485690d04cf886c0eaea3fdb3748d9e446566d1a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3a04a19b69d6d57df3658e9a12f8080c720a40a5, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2ec0060913fce39500d12096d980ebfa9acf94a6, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=661b48986eca4442c0838b08b5bf39914acba1cf, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d108f92915ca38ce64274032a400ba5e9a6c31f0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c3ea0ed0775f6d5b24b470dad1759cfd58cf18b0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4836c5f7b873be07ec0d93cdec8ef9fae50e28b9, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=93da1cb9092d32e7687bd4cb29fac64c75949a0b, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=dd75ad96e43b0342b256808dfd421bbdbe4ff080, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ad31d23bdb3e2ca5f0f3ad2be2532b2999eb24fb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3c3b6326e80e4cf33bbb1d3c2b1e5241c947beb1, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4a8ef2cd74e252533e0089021cf401c116e19e38, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c1e4e41987e628d27559426a06e2d126e7caada9, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e5d58350dd7b357e9d5a38eb800c167e082fde8a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0f1b8624b272ba80410bf5e996c9b98f4a2d3e19, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f462b7bdcba2fb242291c1abe70369ba36099131, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=528b22996d270d7249b611a52b6af259dc208bb7, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=87117481399815595f3d3104dc5261581b6d9e4a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e65847235375419659e32787428589a0a694bd60, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4461591c31458531bd9d0b1a09aa36b1683e5ea7, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=02fc851312592c1b9c4a1761ad0d5ddfd65be748, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6b91372cb5273b7d0661f1e0bcd3034efb1ff63f, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=beb7b70cdbd3924f1aca1f6e9b0ff47a325a8cc5, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=82be31f15f1d3e0d6da6807127965f2631815c5e, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=100bd08bdcf02d22cf4ea2f98ba857c987d957eb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d22bbbf9ae39dd353a7fa86cfc7b9f4f16a72fbe, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ad35d31eb2665f4eb3032a9de70719dd320dc99b, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8329220810b332a07974d5502d22317b9d809516, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=64449f55738d79ffd8ae64ea466a17d5c3573535, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5e06d080ac975d15cdaded5a5b7fa911ceed546a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=089125a880f7255825e38acf59e5d6040154b850, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3d301dc2dc4faf28f41ba009620a8bd09b6dc4a3, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c10cea71ebca06277b2d8d2def7797409a57f89d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e9eece4ba1acc405452599522e09507a71c08c6d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=67102d3cad945a0120fb8ed56afb49db49a98a3d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8265f64902a363b99c42ad17d089c829e613ece3, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0c1a1e24d36252061101f4ad8972dd2e8c1fbdfb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=caaee27affee098c81c8db54d5e159b95089e147, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=31e82a3f1182281b816d2b0d6e7cfb46eb0adfc1, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4ee4c310fef27af46970d2d2e56902da325c6aeb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b0119500a65542cb7de9e7a92295f0f687fb6db7, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=74b0e1163ffae1dfc746cd383001090fcd94dd95, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ec1027479b40095161db3ac59057a781cc94261c, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d781297c8d7930109a10ae7afbb34bc6863f454b, stripped9Gev+FQZs2=fs+<IT_r   8 ) . #  R_RR.RYRaRBRgR R R RURHRR,R2R0RR^R-RGR`RTRRARXR+RfR/RRHRYR_RaRBRgR R R R[RURR3R8R9R2R0RRZRGR`RARXR^RTRfR/RRBRgR_R9R0R2R R R R^RARfR/RR]RRR_RYRHRIRWR[RgR R R RURR2R0RR\RTR^RGRZRRVRXRRfR/RRYRURgRkRiR2R0R R R RXRTRhRjRfR/RRBR_RURaRgR[RIRHR R R RR1R7R?R2R0RGRRZR^R`RARTRfR/RR%R_RBRgR R R RURHRRaRDR8R2R0RRGR`RARCR^RTR$RfR/RRYRBRKRnRFRRRpRWRgR R R RUR2R0RRRRERGRRmRXRVRARTRoRfR/RR_RaRRgR R R R2R0RR`R^RfR/RRORHRDRRQR'RgR R R R_R2R0RR^RPRGRCRNRfR/R&RRBRRaR R R RgR9R6R2R3R0RR`RARfR/RR_RHRBRgR R R RR9R2R0RaRGRR^R`RARfR/RR_RBRRgR[RaR R R R6R2R3R0RR^RZR`RARfR/RR]R_RRYRR[RgR R R RURaRR2R0RR\RTR`R^RZRRXRRfR/RRaRR R R R2R0RR`R/RRR R R R2R0RR/RR%R_RHRBRURgRR R R R=R5R2R0RaRRGR`RAR^RTR$RfR/RR R RgRURaR2R0R`RTRfR/RRBRaRgR_RR R R R2R3R0RR^R`RARfR/RRgR_RBRR R R R R2R3R0RR^RARfR/RRHRgRR R R RaR?R0R2RGRR`RfR/RRBRHRRWR[R R R RaRURgR_RDR2R0RR`R^RGRZRCRTRARVRfR/RRIRHR R R RgR2R5R0RGRfR/RRiRORBRYRgR R R R RURlRkR_RR>R5R4Rr1!n4?YF]@6y 7 |Gk f;G>L";!@L7%]_v Y 갴Gt[WvK"cSa!?3tZ(e]ͽM/_I5Xb=jAz|%ZĚ%3J}/w6AGU)f)> e֗}X;8;B&qm >q0:m‡^3$Kzո\jϤ9M!_jm,Ń:|;55. 4Ѝ/(J`AKgD4|ҕeߊirmb~rͽAr)eR.7LȌo5.%lIe&u\2]_ؾIMԊJhϺEy#ENm'“|h_ pm?LN/N-",z>TnWeShՏDL&,3iZC䀭 "=hOo'TxCq:1j:jMW_|'LO 6$h&xx[GۉOwqCD &d ඪZzV" ~$?1E2`VKx5ܑFhs TDU&j%#-2vn]e iY:Q>v<|XC5ďKhUI7Ţƥ6 d1&l/~h," }fXd&C9D (м-T -ښI &8bD"Gpu(A򏕵8V*c{s?;BM}c()Pb6>.N#B˚14wΧ\/zF '"5tHdA+ڛ!iq_,#ڌ;0ͩb=@[oͧT@2et)fD)ԃ]t(CLټV1Q.ZYB d_:vP81|254bqE."`:c Z=]F& MF"U?4YiX&ml遑 x? >'a d)5*E]#ِ#R*#Y>m_:o־!74 Vgi]SZ=m[!;XëO޼ *5,^oivH˾=ZR^o+}IL)Dpmeklޔ|,M(Eh`|rSʑ&-Um2V"j-%xSi;wviϭOf&Ű DSd6q)Tn4i((~>h;, ɚ5PHdKX_{7ㅹY>WFS'xY>4z'&- qFKm  ^v]*WR|?=߽z;>]:0N^v{CCPqC*:F-bfV7!Old̨qV\ܮ۔Q\4!{l_;ԕi*N"̉j'ѴE|?&NrF`9fU8~Nr?`;{dl/\Dw_@kIGF ?iD ҏhK)q2c=l/]77^ L f}&W+E"YFY2N4-_9GR_W,C dIX톄\tQ܅(|W Ex(}2VQv20DJtKBDCoG96kDsNEGD[> ]Jq1K7\d>ߘ`?i~==䅨aI|ɮ (7MG ??PゐkJrWqIĩ&C5ڍ.)4+*s29)4"1JCU"σDRt z{|;"<_av)^6%JÁ<̹j㎕/bZf{^u%>ݢո7냉8-ABJ-j`a?&Uٵ_6vQ[6*ҧ|.3܉9jMeZsz#MՄW+~Ou=qy;q;H*@TL+E/Q'gijjy\=|hPf2>'= Ox,uͫ3^מ79Cȴ-iGRI$N5]\gɥẗayޔnl5u?6sЪn( |hAaXE(U0+P~}u-PUo@EGY)Wдmg-$ izVx[Λy'ݫ/ c݃cY[BjbĸT'((jј75lwH-z鐤"BhB= 75VM/K߼i18&"d<.[)H ;+d;0|][{;Ⱎ¿}ȲX )fyӫZJl`vc8eɨHkzWehEIQKD˼`C%z77wүl4YW{K:LOҰ@U3JZ8MT{:6錊(Z^&賢G%K7ϾGBMW`݄  BґZCcbiD4,eMY#F|鋩yh?DgH])*ہY)p}krJ-Ka`&, zGuj?MEp/w}2bEۻ/ܾSy2btNbYeKt!F[&2ջt8Ns)]szɵf3!ۧ`_-c#q.cHV !pڣ}FiOp/bmRlsQ_WN lNvsi!]BA)IG? O<1 J J toU, ^C_<Ljuq9j' S41RIgnz޴y-F;$;fKoF!YY^`exA&׆m&;j7ʹ~g uw0|CTrC-SU6\2e'/kAa$3 "RժU~)~~E :7(͇䀋)!Pk% x'J1FM"7LSmRždZw68|ei*H:xw3OZYӾ_WcȵW n2 C(JHYs{bNg\hfO ˛֮JR9Xjɡ)mTkr?H|&|]r?X IXDk3B`Ï5Sna&r 61m!e_AXiox: SCtWIQi13|"x|-![IkVx6vBmT\o>rh%Zf07 rYav[2# +puhgZi<+_p^u'6\ r# pwA˒Dqy5F6y;L)Ts}O!*dM|]'Sˣ0̽L,q$3ff tR% L1d#=JܯnIF!"v}a4/BE- v^n)2HL?2fj]E;Fc*,Qؠ5b)̘{3\iaAMnh*Cxb݄X[zfrcᙈ<}@W 8Y-OZEZRV„ %E/vF&GB;~k{i?j0c{^UyOˈix>*-}7tΙ @g\"UؖT"0=v[t6IM5QS=3IEOcvQ *ùP:玛A#_ \*-J]ayEffg+ʼnMyW2j~{S|TjbT`( EƆ{Ԍ6~#TjSiMڿwZd׮)^a۳rҏWO%pA,~/fV iy`\)6`1ׇW~QT6dz r)Yz~ENa='߈V$LLz#EaQ1M"}m}+ XY F{ ]oX9k'B,{bm#|]ob>%\%3ܵK b UeKU6@ ^7`~Z5eiBuE"6sX|(=kDB qzjڳ-q ӆ%G674پAAAveG 8w0 \ѣާgrʬ0 NOϗǷkE",$ΈSs@Bǣ`y~Aj'#%fwgnf,|K38dMDx ݵ`'Ņ̷͟aT߫LiQhi$!~y@m+Miߩe5T$ACmNo @1GxEFoJ}Y:s^޷DZ^ذ6%Aɯ;2q:y[VYW8櫼K dykkRwc>#P 0_CYѮ i"GRWք7_'gNEP!" ͒,p2+՞:4C/}nqy1O\U4OA.gIn'R3e5ڄR֘@<)Ŧ$$#jjũ鸝BW8BAϤ̑ȁp~|0YRwxfRNoGs8k.?KZtQ-5ƶ=Hư1!{/hVuO{p*RV7-_K#lBsu:0 a/lOY)['N9;奋bIuz2 ?,Gl:[ #%8bs@ߴӵrCȒmR" +}4P!IVyƢFkDQglh\q|m96~S* P2$=(/ұ;8ʒAnw(M0߳}iKPMht{ӎ:Lؗe d.,'-%D+;&-"*p L:,yFu5/vdD Ǡ H IJZ'Wl%>K]ԛN tN+FМ+93Ii :~nB,7%[?%9,W(G7ecB)b ecM1?ŬW=q%2ڂ_*塔| ˫ OVt=:0bfV/MV'Im[YSCy05 JAvqp< )n׼_5 ˟*"#5玁Yfu^'?o+2B>s?}-l#{4Ǝa^BxT״AD.DN)\Sx{;*=wR5Ek/K(qnc=A.)Gy$ׂ͝j "7}W^'>A0ZB߶ ^XpW񏈉ZCض-w#.pqy)VS5ݬ UW'ϑ8bI:*iڈS*`g{`lA CeRyX- ig*%'wׅE2<ؐ`U@O9S1A"t r \2D NNXŋ5||8]ɿpЫ'}"9Ux,W($Uї]f.br|)Bc/Q"ߙqs=Hb|2KT{Fq %ǚQѧm6@hdߐWrp0 쭪P8dhz0tKUal~_â Pa؉1lD-ᮉj6' H*h{ YRWg#`?̔]z./&eiF_sNƕ~S 1kh !a\S}!\b(a6-0lp]l-&1 hb}+nf:屭Rܼ($ +QK ]uRwDK\LnRe/Sd?[~Ͻ NQ~Jd1t  GmLJegY⢾2G?ޱSԃFe#>جՎs+<F z(+gS3'Y/DAd`1: WRcψjDVj9EW& KR+U1ՙ3>Yx[/@yS4U ؟Sk?c|}>&Iy0),GfWPD"c<9(Y @r&I%E}Kʝ]n܎k aрBE3I hJDe+BwD$| Hn]`?fh#Ad%Ȃ ov˲/{ێ$/h22k"&&-.,>l \G!\+!ZW]ZJ=Y <bz`n5Zi}l 3Π~w'O} vKKE|<6eI S\lS'C$r،]Q5I%XZ;j&G &_INiX CI}R&:B'wא.m&Qª>ԩƜ.pkX\Q42"JZ m.k$R^Ϻ A~Ea~@ q@G &[aWA;\b3 Iij?W!^ Q4 Loȗ Uiq !JLs%# e$LQF-HR#B={=NN| ]+VI8W,QTY/p{`|~$G+[ .&X]I=3D*Csb\Sy2)?53S5hٯWaA0l>[Nc'spn2!1wKž0^v}z\V1!8ʐ1[J':9y,EooQ+ ){rO؈ (uR‹TҨ6~3kHSBk)fQ{&A2t-67rJ%v. ޫ‹h`>Dgd,-0;!gn1bC Kߏ=fM8[IZ͎) lu 16%ξ;hOuR`>[O_>jfޡku_򢒅ab ^ H,3?30%#%i}ZOmVb$2{¤FiB)qЪ]}"Lk UX%W8 NeV۶Eؿqu;7; yo0>w1f A`eA0w.%a-b zriY*g^pA(t'z1o,UAϻS3$0Aܱ}ret-""( ׸Α`$A30Lu=lBZk(emq'7k#ߩ%pos}ӼQ4ݤ$<>pSԂ/(,am#LK,} ڴ5:6,չr u V9$GyN0|w޴7`_S/@|o6ԷKT0abb5Z1zˈM BۦK;B5 K|zXQnaU [JH-5S}hR/d{`YU,!UD"XhԴo7eдBlwAr!z jZ/bm.79tk/(:3>4^ETAlL'S> 1tD<镇dfE)b0̉FdV$էːbiNЗuF/@1ZކgInj He>fBXo(|ڛ`!Tv1 !? DM6 Sa"\ ~#vU+}yeL.Vd1?~, P fFR1>(J3nvF,>Kh@](!ʏQ,}ԅ!)k6,.-X4?PAb-P#se#MoU1"weu1$qݣM(Jhsm@#, ҙ$ϔV0&\⮨upϩvf6:Jah_$&Trө?,=¨/0cl#/nM/lm?B/Lj&_?neEzGdcj~ȞJMtU0rY.X0H%36z }1iUw!tq gƕqՑ9Yp~sr몓9={m0~򜀲m wS X j[4xJpP(EEcrmp9udYٗ'A⩥hʦL\##vQ`PHԢaxh+LV=1{XXcE"WӧHkn6Y8$8^ˢP"5I.)!49~nDgvD"w>鈬)eW8sӡnL_+p@l3 _֮b8wh`o X ='D ѱ dkP 5 6tv:Hʩ8Ds̵r#7bfXގJ59-d=dW$<5S9eJf8S P͜|qYYޥ~$.7"ovҟ  ^H& ^-SǾh@:nvW&N\ FCyC&(^75l9j.ئTZ2lV }/2 wa:?yBȶdXYS]ǩ?l”›\6F(䶦rI@ીr9#t4pR#%J1kX [zU* ^ i3pΨGZ}/ñ7 0H;[׸S%w?-:z[ŷRk@揌-2&p7eȔhb1> 9 ׏6T< ,*L(gsb<_y>gTf3wHߣޕ؍E&w] 悺4ҠTI-PjO*d O@s a|۵k*q8O-ED>6z2t#ȗ Gye "+8&u6A!mHb6rj #Tqz%jt ]@rrg=Aj(7J`Jo| <`Ghxq'UPQp|76!`ޠKWHJmue@Z׽l$i-u܀@p;ιڑDn?~9϶ٹm?̐M]z:C" 5ը@{G, ElDi* KA]DZd"&T].xK+9ji `~ͅ#M8:YP4?pWA(ɴsI#GGvn=8Fh"uqv딗{jgF~4['{j0`DPeiC0DG@iA4 ͙MN42q`(d0XiK Rl 1,=w=F8-JWLGeE!\Tb-n(c6FF>:3c;Z6~tbj=%%Bag +A:oJ􅄣K~slb? օ=`e{0b7H".Zӫ~XW/M}Λ _._ X᚛?ewk+iV[|1Xvr']J6 %!(d%>mvu^F02bO# .ۓb‡!ȡi OYLGˤԢ^$|=( 3;zmw|Hc(&C =βKkŒnhwB P.27tU%a0W>H*&&*"dTQJ? cكXցO_?R~CNj\V(M$C-Ok:Tij <I&KEŦ{z}p1Na,1U)!S>~0,ԟhd]z7qM}N5C"##diCﵽ~VuFvajWVx$?.:$KsBUq*]8WϬS "e Cһ.{H%e^EK=$i}2O&_u)owj @M2~>\5VI,?t\[X*Hs&i^ҍ`'3˽ x' LtKOr7WP1Ã`oHB? c&G+.K9)7,V`w)͂dݑ֕h:Wٚ⸮f.O9WXΛʲ#HR=OU`×.1  1g}.qbWHձ\D/%lig|˔)>#ϝ:֓A5`^4?̛sŤ;,#$dT(]&ugg8ndUd  y31Ţ}~ IUt*ُLl/ԉ+.ū b^m>ʱ<@M=m$#]whx/ (8:eyLˆq9H9 IEx>U+zN+ȏ9$z{e1tgkz5!ǻHؼ//`hXt9[dM.0Z^{q2XfݞУIz1> hg?>'q]>f㍌sOO\eAc/p>s$4ClĺUSE,7+oP-Y^t VĿrY"7 l"F>56Ymf&9,n|aۭ ŰĊȠN,^ymKAe8ӧNǎ z;]FM%UcJ5PjdƔdxlr#%;$f@e_Ł)Iebo7WC925PJ"> `^ p1w|4Ȑ&dWE+v7 E˙o7OHW4uv=T v|D6X)DSe-3'}X2>H)@ބ*N4Mb%hҔy}Dfۄ>mwjm=4Ҙ?N1L-^ĮT 2~l%v'$;^6C\;5v"õ$VZflO9(}} cl"m#;n[p~gxH^a|t+Rq1^MƭFzRT9$5FFtQ(8숴ܢ3(f:Q`/q=TJ0͜%pա\:8ijwoX"'}'(meu$n *=S:<>!dtBƶ)(: "ְ,vu5/HGukPrhn'.13x Mwj =[ e*Nr+Nq}1i08m/A|kP Lt?Sg=nɒ_ ` 3;0[5oMζ(3@+0WJX!&s5+!v-$خ@_ KBVKvUط[ޜ˱:ychM/xU.zCU a|5/{QFD>Ȓ.f Gk[a]}@`f&8z0V I(j'˜,4鉉Z:s@-^xZ rWՉbktBܦnѢksKI?p/UPApG/2/=5:n% ^FE"l}n")aGLj,oGD( ۣAw"B+Se3@R^Һ%6'$;>@Nj0MOu~ZѾi*ƉXTw6MT%]်5xei;=I\)BN8""^pRE{-)*khu@Q\rM=CteH׾6E iTz%{:Z:&׀{tx=;&jҋ& |Ur04eLrOX*`4Y©]e]j#籑UzrWsλ<")|,aYz р=z)%39z. 7DRO'a- )u{<]BP'd*AdRp'4GAOJAkp%8GG_-@uIW )Wkǎp-=Ԋɿ rk3*p}yø $ 1ѧ"Q$:>t[;|*fLn|ꕜGg%1R/R/V+'E䦧B vX1 a:1 d/@Oq::|ڐQ6lF~(U6ò|~ =[elPµvvYHE;ΊuzbfNΙM{ j:O~s:OQQ&JI.ⰘðScAd줹.Cu i}6eZ֏>;؝=7BYbfyy@k.泰k8;lI2',VnϏ:E~k}":{z1bN?&ΰȮ}QQ{PSiB'kѥWlC4뀌 'SW*˽'aktGA*.lɜ([7@O @bf2$1y]};{OB*F Y %sa@%3Ŝ6?2?D]`i$@u`:wĉ:⯌$ VP}wD={ Q R=0xvM:qf\S3 _#80:QM}@i+ItH\4N .[ƢKvoVKbˇ5Z1m> KkhF f﹮BZOm1J*zWRGӹz~T,-l-6E$|ow%)| 6|EPA q :(lx( M\>s1R34Jq~F}E/vXª~%D_k N3N +;1SGU GQ[jvzDA*H(ĵ/!j,f" =DXxbw,6QHe6<˱d+3_AyPH^џ 4Uʌ%R'suSA='Eiם Ieh:PWw6bWÒagR+Do6_QV￷.H7qP'\9w0x2[Oyc| jAnvm1 0y=ͅYҾi.LrKt'.Ns~ӿEԯyLR^B=R%n5Az=xpǑ~@J#J0qr j6UL4gK )+!5|;.BdwZE!@B"u_:.dRP#2/bakp}gy>*j&'$͉?>b&D Ry(E2u/,sM\1I u&DZU*ى<=ށU?!d;$iUXkf>/@yt /n7/XݸVwԻE#tʹ\B\&5$J/-qKI!!ܮ*].)KGWf4|6蓉 >4?l#zGql#s ߿ "3TݬֹV Y V(6cv^Prںg\(tE{JD#Q(jH_;i8}CkhA"+ؓ2rhWoiC>6f͎=+(=f4i;8!c0]]:PPVOH+w!pX>K'ib'M=т矪 \©B1 ,v4-6xK( _EEׯ6C2,|68,ʾ|<Ֆj ݾ˪Ps*WCBsJ55ʙalGS,PQ%)/p\*gfȸp~y!dI7%'3Nvh?I`uܜ<| U`ta~m/ $u-'kYQ}li(O w> `N3̣WiQ'ij x}} Y"5قI*rER-t d3V3 Pǜs-O_7 ptkBTԻ}y.BM~Wܙݿ<4peN!@L4Xp/ N< hqW G#cu]NJM/k\A. -^:n ;,{ U9tࢄo}7#ħ_ YEj`1 _@T/Fg+a5Vgj)ѹaqqo^c켛~naf"h>+h h@5?Ӑϱ -M"5[ƭ$ KwEo'k}rMkLhJ!R/"]Oq3 j[nJ]Y!CџM0rhv҇۴26mYya(&x~!؄e殷'P.7/e}Q8@J0(ݞ-hMR^+;y=}\ʸ>\EfV+>PB^pH. ȸ ȽJw`V{U0Z94b:dx ǎH޻-D?Od7 lF?BI.X1޹. I =t:+`NUT'SFbi: %xiwi>81Qa&S,A pE$ %!x2R-r y6੆Bqφ,K.ti,KJJڬۂrW+VU Azx3,E ϟ\ZNc/@cs^[Po??,/K RTa'gMNj 3d$Z"_3^1]|^a_ÄdIn=f90H w eT1e#h s-U^C3hs[he-ª- 'VWtƚk)_/@fapݚUxt0O.R\RDtƩ%FA[IbYjq?ځcҥkgo~`u-P]LW8{ٮgx^̊QfP;hu  >ˋU4 S6&^ *e-pip/a, @q8=(Pt'a`]f'#Pq ǃ.ߌ\f'֨G{sؠ:63{duQD$v@KK3]DC u):EhH3xGΤoxJ ˋ9GFE/zBF8}t'>ù' tr6]BL+8?Srz0`eAqJ|' Fr2׶jڣQ/B:}do1j!3^lܩ8d䀟j TQ}Hإ˓+x`qGxa/+*U{1H?MNx>ly8!uQsnc0vF~ꔾJ@3W-п2~Htǵx34- %b` i ŪD6IXTYcimY*WY|2:B2zFvWr<5 > Yy}}t"X!&2jRz3c&AǴ<& *j{%ԵzZ;[|rU&au]Z]l:?,VԮtt?.[ NM+@bUIuɰ$uǵ!;'%NHkܼÇs{|@!l ٟ+usSSF*3 . ~Z Yw{3 :)J_\7 sqt΅«uvHtPy2;n[n$6iGUo]q2>o]OxYzBbO1G\#{N>_m1,oF#nȘkky_ޑY x( <, ceF)l>0`Zϻ>_]]г0r*r Ř2`6TKbėA7u8LjDS h^ # qbC/, Ffhd_cbp;bR4V/?+ynGe UQI^qaYΣBW&"'n@8]L~yE긕#:m[ʋD3 Rl|FLyg @ JPǛīgpk(l=Q'ބ힝|ċ*%β_QI7cGQ`c&26W?bRb-_CFGkIa9|\Aq{w] A:23< uXL @CN;6>wxn{i1SZܼ^7h]4gta/H,V8ߑܘ\80 -^SUB-ꋮ&CЗ  Gs9}6M+D<^0}{"` H.`Q0r h,C~o`u¹̥[j.U'vw1u;#,2<ÅCiTm<5><ۛw?:/V"5CaCix_L0mcGp9n% l=1`4eɽ|NMk@x(%Ee&y@1nF (z| $Ww@7B횾6 TZ(F;@w2YEgyꋼhf5z^lt0~"Xӻ-iC'R8zs;Y`k<$@Qs~Z!36F #?O%)<\3_`7 M.Ety-{cF2ﮒU9΅\Wl$|h^hGa$2Q5ɍI#uթ{Tb/Fl9ٔV*zEnT!J(:j NT#u^P5mJm1Hj *ں2Obt_>wk/Hs1˽`"خvN-S{m?~ '_}l|agGeO;oڼHV@N4T]=S&j"Ƿ ϪNĝΊ^sY3^Wng.|uD+%d%E6'Rʓ-l{*EoWn )ױf*b0K;Tϑ*nT# ۞٘&PHT8s){Fݡ"dx> x @T=Y+`mi.c8*)syց?WkW4nldʜ`*y_n4$G3d#cUr g]\j'lwj$|>$a wS!0sz2=O߷OW7HCuT UĊi0cUAG}Ċ0dB_yZgtr1,uMfS/=v'5">М!DYfdM [TChÇl7y:ְ`a8-;K,MafCHhuh+c ߩPyL H<!j|oLd# w'wɗgp,ګxݻ I ȵ?ЂOc$74'L0`O& &ZiX'$&ZJB]5zoyLY|CvKВib /7r9(} $M4t4fp,_}N,F[53zt *|(POBm;ZGA6q3#pFm>jjmz(5Na ND˘APj/7Fx//ӵPZz>^m1H9\A r 2?7YҳHA'%"GоkUU`2D+؆Eof@ yIp%c[TR#kydKfOXRljx Q!H$a`\}/* o'w4Bg8GrFC MQ >hEʶw,dfiMxINcFu+dh­][7O]e%*%ۍ""mC wYN :b?w@uzM'PbdۆZ=%*?J$}{\ ZStg[WuHa? 9-NǦk&\>q $hg5wQowau$hGu_٠*itև(S@kBu(OZ(EɛﭚFU6m;Na",GD^G*-dGe~Ӊ|lup>ت82@9gE!qNb< x}f\Ly sp:(FD6;'oO4 _O쒦十y2+YrYݬR/f@_/#Sʫ)7tT\|phY~uiɫk#i\5/w'e?~; (JQB8No}ZT6W;4I5`Y(I,8N h,];yK<ϯEP#'gx6z_hR{oAcWaށi&U[b6epINɂ5sSnTK)hkSiG0GDw=ze|_y8!Γșև!|~9TiѥWbS}QexЭ!zWi]`;UxҊ(]ݻ~M`wzxh,2˘d16, {δk 4ˠ* .W >WW|!]T{(&qlpՋ 7iB#D}>|0yqO~ݹFүp Jyf B޼91_qg՟O{Z{ӏHsU w^nL׊n~B4C@.2QtMY[V(4:'vBR wV % {x49E b$yMMv v`xwt2zlt*wh$?̑>Y>p@n`)0D(x:-9"~qwUN? uC93iM'49t>6*X aUY Jx# mCEgjBAɬɋ;w߇!vAOiBxH '܆ VwD2(fV]&#ºq<:p}w+5L*d\ikHQ|$굔|id `E/? űu&ڌ[nF5!qED1}ھ\j%Orц҅f~U:fBUv߈8, d٤4郶RkT "UuḂcClD%*8\a:"l 5)0CCvZC9:<dz/gg菞y/E `PSoq˺  ~pFɮ`;܌Bc۪҅ AzNs5tQ~ȦQxHV)H%a]S}㖈#QկTZ͔W z0qĘpY35Ҷf3ةQe \[cNLưO"Z+hy-~BH!NdW;+\xHRStKgu7 h=xH9M8 *Rܫ,`%hy3H|"_CLɰ.oW[[14(i穭><˳߬Ս~[zҝ,w~w/{ylyAs|:lQnX3K{C\@:9d'Eĵk<"6Lf|vZ؛phMֶÉ[qd."][k 8{ Juyƣ;+u/o*;lR,TjX~TH\7]8GPyAĔ;i JD1zKe3ǩ@npjl<=4j윲IQf?=FِBOm|tmuGl\'K'2˕sJ_ڿM\C77k'@+7s Q>5JԼ؍QM6?rMH6rhF7uj)沼VYV4$%OU=>0 n,+$}X[Qdsv:r֑hZ]Yl.M> $Ʒz "XBEasL `. {7e׌#g /K&L5Px/wʐ*ꖘ}fyHLtlTi ޜ+B8?=3T<s%d'(3Wr;18}BAպM}P`NUtI_\׷n%{:|BŸ׷X<('CC3 .F9v~WaK']C1PEеVCj&J-3KTI8c5֥(W5ޏ@0o$jO&)ͮ.ۿIR:j,.YQW.(.?B&{8( g}"=d1.<[AߔUZMz&S*`n$K+ j Xb@AYaB{_2Qt&od@ |z|u,t8Ex:Ի-e|Qo7,$Q%,.(\9K7HE9ŚqƮ]ϵO{w)ЖժyJul"ܻF 4@*M@ّmhT#Acypk)]0&S&c4ƒr }ciQkbW `ZU 9ϋ4x6.gf)us6(IY6% Q){|lӞl5']wh5x9hKsnnjq0JeFIq BT CI$TtL6GS_N * r ؟<-Znu GC4Yy@7Ś+Ї ӠQt!! U|Mq Nv'B! uSR6\µL^Kp&Gzȼ5BGث BuSt샢n$ s}a_508'Š4f9t&[Y˚1zz1O<0NJHJJr ){ˋ 7BQj/cn Op ftq&_&] 0 /:hWBO] ٦il%%K!J;m ]~#ݫCqϵwINJ֔{>5^k'䌛ޝ:6=\ĀmcV'veJ(9qvdhfpx^m 0qd {Z_De"p5QټzV_"Gߛ,6g$?eKe03g搵mk;R?PG]GaBʽ!raƻ%^w؁T3(XWexwYi`ѲY= 0>\d7zրmD+!D: 3r, Up}*hD&\ǐrwm;:ҫh 3N\>]!+&w]zC(΃ hHإ,-K5? n"g:;Hw2V^:Y~%-}P[VdRw [,n+ˌ*C#FIqc"߽}9ƀt6;VU=h1_ջ"NUU]0y`F]{ν+O?clöcA$ Z#-Qf{|emw0M|{kL?7ÚpC"C[nmY9} h2h8ѥ)_~٦)K? dOm!~Uv4c)oBG/{] )cw;Vb'N "4 v.Ҍf&9="=Bd͕ـ}-IؽSeJNϧLC㐉I6ok E y>kF,.&zAUz5Aϟ&y$n'?$lq@ED(߯-LrۊF*SI4@ޟ)v\2 #FDdEehdqsr:p࿛cok'Sxy~*fpGYzye>ȣLXd[ZX+>v&46v$:mbv+18!{KHfiå/E,oDe+y_ !3Oc]iuR|N|To1ct,K0&DYxӻ,ёUzHn]?B'Y5j!jx~MoH$ۜ ylz[QaWB i@n˗zAT"WubQWvW, យ6u ē>!# FK$9ߡ26Sč+9ǥ3@YX3yu[~i(0HrG)VMk_eaw^f!( V},G Ͱ/( ̓OoF-:=*+B:xYQV.Y\T<9ʠe,Å6145'܂ kW[>WkTifmrTNAȑiXi(n>.:ܣ",.6G.E8Wf-ΪPY,/ȞCynUđ0Gs._sٔ@WN; żŘϮ^=R} <(pz(59S⋙+W(`ߣ;G_B@uz] ٕqB\҆لڤ0If[֊ a^* voCa+ӟs,4 I58n,˦j#)4>$u8L*9mPU: TQͅfóP!|Pz1'8lgo-QvGDn_1G`{3?U*ǚ\x.=A)eH,Nԩ+"we c S!ζ8*a*.=m,Qe ;ZSif 3AO^aT&EiBc#ؾ>aVOpͺPgmp&\+dNl/qИcg`cMH{x)s0f ܄d5=.Vca+c( _ݽ{^b AWiF/a~l0 7gڕe^mXet@#\k]UPك7\=6ciclc6u[;*0/?!tՔQJlGetu kJU&F Kt*V6EڭAj !t']kS^w1:&+lYT"K55Ś@YK0;WZe 'GPV?'Xmd K=L ?Mյ<磀]e(~ '>cq?_s-Ȼ?Z| =.~^/QJ'̴RJt\$K7!QIcA)r L;e9Wq廆xXFGK' {{Rg߳Pm  #55Ugߡ/Eo'@ I7o,>M)1XNb|~fEa@J9iug⛴r! DkS^pRٻ@"CHҰ.1tO%4Zw*6P̈́UZ=G;˝LeTa]7TOs->%gF"Iiz/{LFʃgڀe0ֆwoAݿymVwj _TL?)TPR+;.PXϝyA&U $Ѻ0lZ,3W]?W4٦5)xs>u9=R sv;ݷ@{1+uZL]nXJ\厚 ̔Lppo 8Z5y 6dSh _C3  hҞe}[_b((1] _.@Ol!1>e^=S{B5@?i1ɹdYX~#&Q >}~TgLq<-EO5iGzAѣah\ة:ty䑦_ u,^y7mq-3TU qƔb0eB3OQ ٤3r _ʈlD6Q^!1M XDf /Y0d,12'k~Is8I (% Bƛ|&KaS3#3(iATJ99I,m} ve⽎˨i\>y>iSq6fi.MCHc4 `@)~Trp`SD`>6(ˍ߃"4?1}Q?I JPS)ӌ F <;Cho'ļqO%6*x;j}7E M,մO} ;t7-;bg$ [H"SY>kq4S{}(MhfL6&J`'}afJeRԧfg#L cq`% " C,Bњ~XbGcJ5|(I2z"MD1wإAw~}*E$;:Ŏw\D'.tV?C}Xw+j;atF57WDh.;7UNWHZ:MlDD^D&c_6rkL49<줋ypSQrno^A \ ,޺YTR!<9d+|iRKIH/YXKW̺B{h~!|?dԶG i'p~]D]'*i(e[dM!IK>hc^Hc&M3r|*HXPj؄uY"rϮbhY/%G AmN]A+[DJ ob#%Dtx)'<Ӛbpo`co6mN?lk'Q0M``#e[ fD]ߚw|ܸMOЁ-@ P:}_$^:pTeq='S [1aʗt_|jYߜ>s@7O(k%3$0ɹx˱ ]jNADs_Դ[cDV>u^> e%,m,2+-Tjͽ%}R@!oz0c]PFG)M K%\ j _cWbW *ΗFm7t(&El^a@p0.p0`}!HųVDN!b7,xdtpB UxO2Ny_h! oI?A aGLn'%?ܱL+x(%DO2;{0'(DWm3"aɾ5*,`6*JُF4 D6BW:׀h:?ֵYX0 ځLy5LӸ{E < u.c2"?a"\7622cNsӽOyЪ]§y jz ٦\T0-p`]SHEhOB $2Bn޷QМ eQ\˾A(U ,ĎЧx7AO:.R4X [H##=-(Kh,KjT&rA9KT̃ TJϦO˙{P*?M5Z3ð2}rabJ-&ΘucˈD~U9 _cIjh=Rr7e/T2D.QlƠ/3E3~ah^1*(qp/:Ӭ)j,x𷄫'{PIؽߢ?TdQ$~yd~;pl? *GͻX.fP YOs E^aIyfii&F:aRҩTC7' R4Z.ٽ/{}.uGpSv#U4p#!2fҀ$ȶ}m( .O{ PJ`ޔD4@׋L :Ni֪NdFFх'K=kwgb$l](kXDP3-|g}SZj7R90#fJ͜Oѧ5lm֦o|7UfrL^>X$O14]mKNȐJ)=ͣ-\ۅ|aW NxsH@tsJ9JIVzgE@ȥf[d(%`ݱxK "m//>"JDP3Z2$WFK@5&iHۃ%ЪZ rh̤;Kqf$9c2qw@o(xu'BNWBkN2# $cTbloP!qOcοUk+u<a\_A1lU]VUH]Uhw/LOWpa&?IGn'%+{~ٜwfL@N 2 m'fOPɓvǐe0>UV T*n25f~op@ڸX;:u/[\tݪu1T~{N*`|[a=`X#=p[E=sd<.6ك80ՓiTu! ZzYtfxG(_̥kA S;`fBnӻ,|4̨ AS-SKLС*q9?@^[_|%8bXdlBM ʰ9tv2#R:$'w{[+L'yIudWŪ̂-Cj1|.‚xA?* F]9304>IN70x^"B {c>OQj5/*ۿI^;U)FVVEgj`BB? >tO2r*FKռ>9 +WMb0y8g]Pt]BA|A~2ql9pf#QRgժIѓvԼ]}N`4kNy+2`&0ƕۦ L9B2NAy]}QB2S(o+iZW Lh.$SG2)}[G:`#.h}jb\b OVi"7 [*̝"%=.wBwI6.@ᬛL(/'@[eYrBٯ/wc yy(lw/ +#*]tqQY1L;fMѢ҉k/Jî2eVx$s#";33J?L@ r퐷[$f|Gヱ<$ P{bt $Soi<{^NI'^q7M-xGN6gEg0j)sF+Nt-j7oWqs/TޑJBoֹQ#~W"X NB9GPX#8֎$lXkcmz>^sk{]^06}J wFn9Ľ[etB pL'JShG]`tHP\XQDvcM b| r_5Ӿfh.}ӯ9{ k92-s@fh3zߜTY9'IC;{JC5[ І^3]+${ݍoZ2<;h"of9z oRNf1,=C'Vymg,1ĪeLg+߇ ؽaN U r-zeYԝeE }{ Fh+l%6$6f!# n +"W/;\Hȷ?~Dic,SΕ/!ѼTK#w8g7Ā{[LU4UG–GڶEGZDz~>8-y+ol1%C%Z}to_D_ؑ^@@%B8w6oJ$’ îH!@nM*#THscO;G&4xRWRfDd{2]uDpn 4vGѴl-Q#DU^2. J>aKQri੻]\ӽԒEmzLiy"t0tQU䰁C l XVD&> /OV@MϓFr ӿ8Ю0''/tx5q_ig{ĮHj6Zg 9OVNE~"Mh5'_um{f 43\yo=j1f7;Ka|عS'B́(E[EAP<IJuB3cfSjs~)S#EGs2kt.&Ÿeߖ-YA/#-V| [I;E@˳oYo =>&&zC8iG/ATJb6qxKi h-74 fI gl9lQ߮cb_] 7)KD\TP=R*4Py|.~*˝SMkۍ00V( |r"*x4Vb~i׿Z`ζt|YOT3WްP_rk%- j^ml o Έ Ϻ 7X9h L/S3v s33yDZx$9x.~)̣լɃ[1Bs?68eW5gҜ@x*T|Ԥ-U\ }w۫%!;GN58'Rvڹ4֯)T]5F6I'Nk2w q=1mBɉ)6(o|8W":=٤JE6~BM| (!檠70ͤk$Uչ<ΖӞj#^GZzHQbG'UIhJ8.czK:; ѡԁ ) qYu[cwˋ@pAY) a!RDgcqx(qQׁ!RF\<'KԑE!ցe7N}?%2Cf+CfAtZ"JKygp˜o(&5DŽβ8(0{4ibzRȮG69>@B4rCڌ'!R40xVѽ/s{M̧U76L>e{;pegKFYp6xT#/c&a(J9љ)s]P_*!Ӿ|3v_Q OFZiP<9B%8=a"p70z]e {3:`)>㟅KݵJ'h$ =x%QRF JerqJ_dAfhKW=/}x5:/&(ןqo~y`PmjKr M&$FngT)U־Mhjd]6raG9J3Bܥx _1u7^8^ C[ BM44C}YfG#\+i!eXOH̒AWΕhHHf规@EbW҇$&p'O%襡ˬq;fP#)wIMOUxFd`&t!ru?zaTcO]fOTWwAҪWՆ)6щLd GȿD&?/yMXެme7r>GpS.PzLo53<<Wzp;P.7KFaEК6UPCU>y gS>xr ZZ&2ip? 8f p$'TjMDWg[*?Hh$ QQ:) ^&jl%Zt97l0e]-+,>*tY.;A/p1$Kl|H*o8+\BƈS*C}NE=8NP3!=3 ӊm^u}c5Cgl:ZmE2T,(5EDL|8 Gj7*Um{$ qMGeR_VM^ͧ_O?2Is#{4Ry8ombRQKH?:[o˖rybIIz pgםkj>Cz:tg{K:'PR?g=01Rہ6 lrBt24G*ڵ۸Qa_5 W'{?@ QIk"BR.Gogm;D" ^M z~f,^JA4I&SէI)>3J%lkO^eaj0ؔ_|Nk7, U]C\d(+=WqG"`RdMrES ;9$H{Euw3JԨP7ؗ=UoegtK.Wՙ)cu{YNDqѰfnL~!A&@(%Kb?n"h [OL)^n˸:䳍3o,ZEOoVbqç:Ax{^@MoEVGa˲k@ 2SXɰ&Ny WhTOtC‚%ɳظOe k!7SgޯejFZ&szu.&BGMC#`=ZJy#%>N.X; D# 7sȟ!wD  2/Tõ3\T >F} #iw `.R>TLD/"lPKBfUjoaI!CPEZY:!s GVPjgGzjƗm͉h3][+բcG>`V S(#j^%Vsj?H/KIY()FqJ(kݚe)7Q6w pAr8:N)ݥeHv!k96"ToTa)Qve1'c/{ X'#߽}K_@DY|)T9D:JB,VXdS%z EDp?PFXv(x##f'OjvVt;gIYXYp¯{o? DwW܊$\vFKh=T9-OT&}G=4ec +7o]Q[D5puxA?Ԫm~k0-϶q WeO;)ߴDoQ8fm:J(Nxf)7 {G|NӞ6Ua RCͅes= c֗HZ'ÚT?1d)ZIrЊLrgNUGF-Bn?tokC :Nчק^w&F38a+U Njupk۲؈I`WڨXmd|C"D>`'8gF1¡a::I[Y*MuogC۰4I!-?d~Fw^cS+ZHxgcH.s/,e( kZ&yL+]J8 [nvjo1YܺF* hj_i19>L2AUb(cGqkXo3D.lim6h' g&`󯜄&T:ibKFI?yweك.a^8Hkp7d qFhZN: 5h*$pa]̹hReagp QTnٍMjk׺G=@ږHmrQwcn d+t8@LF5c\y3]%T#=Rˑ2S:{\ѽ Xihnau׺]8ucP4wx2J_OQO7+6߶ϸmbji ޵!'&l}36(ZOjյCk3|3?9*Hc"ˈP`$O2i(Avl4:xJϸ jYHVjSJgԯ7酼sfl7(OJ( }8 zMkmPHodt{S*;3-Шe^[|q< 1;^ ޒ&QGgT/).W^l+g.; 5pClj7]C66RԁJL0CB"iϤ]H{"?ኚ0N DQ2kS$I @8 0̿| GbF,517 {v'ӮZ0L}"2b  bV\꜌#s0u;Ic/XcjiE|I6˞3Ԯ+^m\#RyBc[! ֳ=dii3M:,w~Ö67SNZpD9z} o @{p}1QU/XMm@ak$[Fdn4(l2|jďKڳ* *i/uK/8n 6*e=yぇ2{#]vS{x{DT+ξOI[J_n邐h~V o%ۦ~{?^Zǭ5uf hVa+&H1_\<4\~&C0%{ɞ|Lc Ev)2Uۃ7TE(0F3Ou"\u&Vګ'2Y0ٮiן%1 )96FU>SzM̎:U<[/ЙWj,;`^:RIM)G`+b@4ȯ~YDZ V(agޞ -'%9HQ _=ħ$!R0+R>}g]lMzþ8rnSpk֯}.d&*Bh;/DL?5"߶K(]J!fcL*`[ϏtOg)NL"S 9>ءk㡗LωHȜJظ`RD `,g^ob$!WGD?r߮'E&{ !O<A?52a'p?0 HCz]fwGKtHXL-xie7hhTbQQf}Q]QEWi=OFYihcmᓅJJ}kih9m߷fp}_yOriO 㭾J&ʄB QszS%}y{,*1]yrEh>X_#)yyV1 %#~Vy% 馝eY[<-V/%{ci#k d+ l_oVoAUكW7~dc]0qܑ cF"L&|5g jW#_M$Ē0sWc,s+H>k)s^[7MOd6LqֻĬw[Qnw4rgEպ`)k)Axk#4`Rcyj!vlD,f[(H0~ `+Tb%!|\XNwN(lo2r[r]sȘ̓?=QJV< E9􁁈auWƈ]AK;NErJ4 #t*_`QXp,Fc1\w+|Z1'A62@Jhq Q޷4^[h fLbIW9p]|] '8˘~PJFSJM5^-V;yŴ)|(0ޤL똵G݊5&29fb|q'(:`%@|id1Y uY*H`/ܨ&;dM7/%AL<˾LdZiOIC#㢪< 8 O X\Ѧ ·z"wӸ>Ӆv7^Q WQG}Ep/ XB:nK :\Oi^Gj _㶿HolDCLM8G_e牙6ߦ|88%U@S[$j57Ol4!d#ܺ0lMYOkrS9.FՓQaxhIWZWN>"1ϡƢUQ~:kRepdv\zꉇ8t5evcUx\cZdܭH(byEq$8 ]g Bj%Dȳ;gWgɱV_Fɨ)@P&j~Mk3z P fO?p{ 1;8u܌([$|԰ŷB!H~j Eny܃ yJ?ϑV^:H<1m[;d7@uHtݢG5IU&<8~C.kẸl[ӄ1.*;w䌫ڛ YDK2L8{xnxnD\Q퀹J}~HX㻙'5UC٤Wy/d;]-Z?!8#ݭ"q9VIfX~|zdoFUE5+%6 C uS@[#rۤ]Jx)͝dP`W- x.KWGO0 _ԕ3GwIꎞK*Q%mXPW^Ho u~jsY CZD0ifZV}? ieXC׌LopSVg0As0vX-%o//O %]!]ќJ,M0nȥG<]Kd"a7<aj'ql"u'+ދk.HS$J+'$Fx`2wdd\JD 4c3DTY^"rS6vWЊ罎0*6j| i5R#7'Z&<8`Jt6/ S4Q 7j,HS@h*sʛR 6t "aer 97܂zW"SRCLMks`Cf9mB@ 7MIz-ԪB'Z03vn']o,ی+gmf|j2Hxysz#l65mJY Z%Zy;gD[ǻ>89|_?6K{c> ,V83I t7[b7k>i4<`& }P{Xp ԉˍD$4Z$ ,ۅqGݛ?RoÚ v8PC1qGa_' ?;R_*jo.AN$Bfۛ{j"ga~E&9{gtdNp@'ȑ̮~P(7! bVـLQ J@4)#2Q(_n*] H'{:Xk IԖIv&h$b/Yh_I +yǝBKrAC%iU :7(7/@ v;w Iѓ/__큄tY6;e/1gu/{mYzq(tnhhԥAE|E_+]`>ZB|'O٠C5^!+ʠĘ5m`L)ه.DL縺 Zy\Pc S)+qPNVK()rBT="]3[X\:;%S*̷+)`tŭ-P* #AO,p:KD`TZ"j{H*C,FޚLC{کM\\y5`{OA~&|*Q$фX)zaH8$ o%x*|i#Cmi8+:8q$7\b){H]d@@C3Ŕt \ˢg9(̳*WNՀBnzT!+I߮K&Z 88CJ'E@8)K*oI$fYdS:tR+BẃRX> Bew>(=AWă2Ҋe ])İ)  [q|XUzo䐥*oEDeB+?G ;ޗ_b-G*}ڝJ4-,7nF+P@ !p>Gpkξ5|5˵1'iॊiu}whcs#zGV Olז 4 N`8g@.- yj}L,.uZ2+2 xn D'=1̞@*չ }$v*~Z^*@z(x#&D'E@9A$nPfYI:B^*a/PP1iXl3價i $Y$&^y>hO~d{"RS{e,?n%XS2 A> Iͣ#^sU/g/_vtYÕaooVX@Q-k6ڠ/Կu@8so8J~h-+ ~QqJZM:ۃMGȾ+AuL -(VaW&gJH`kwWy[Hkm&|{Ynq7pTÛE;-DFGH+=w,Wӂ?ͥ#Gi}ô+yt)`;R^3i;T6gbo^[>3E2 qlz({̇) aP_AGa!$Gi'w\nu_w#1iW%/.)hr OyxQdW%ϾN$AXN~蛼irU=T9v/xIl9dF 6UDԢ%{~Ng&2FM1A1#T]LYYY9 99Q#/L]FP-/me Ԕ Ô ;d5fK)BELuT169teai^ %IO<6r}])%Zs7h5'gk-mN<Ab`o,78%U[(h Ts`ۚXuaV[j<۔&Fx刬ƝUv@^ы)mɌC]T$x>nl8 qVOhuƟGR[poo =@9zd;ډ]뒉Enxv!:l--g1Oˡ HAUE-Dm͝ H[_%:^``V0DW m=a¡4~l-r4_ ^UЩ-./bo:HU9[On - Wʷhkރ?!Vݎ#m`nb^^IEqgrFd.m5V !:T)BQWcZ79J)k~`NQd?wXɆsչW]v]b=kRLLA,"4q x'P/dMVk*Ejܥ>82dZMXzY3$8njyPdH W&$dt*/Z u;щD8emO#kKɺ"6*UONS+:ܲҊ2whCh=@3;'U-@q!_2a%)V]&$xBgh0:3a~3A A6hC>S;m֡']uH1߀Gӎ/x$U]R3GG08SXt9S<;o5' w{f}<U\v@$%%:%KNo?^Ii1w>)\|z1m#odJhc9=GnG̢<}Az8':h)lx7\ 莰Ji.-{vѠ;eZԣ.#2VY (*Wg&ldtLO A+,FoU$L"j9إ6nVPC"؆ܽ+da 29uxAy[=cB= pϭttl C5A+-<(mj䑎k6 F(SGz/ekߛh(?yVhĮ&10y7`S^{aw4Q_eD' ls͈f. A{ K9Д=}V& fx%EUfaA!kK%PucϢW:>g:QF8x ncU*ĜX2p⧁˪>ց -U G ]0E'ۜ(Ne>᝾ >V<\D wa`۪6$HTq@+VMU<AP 7`aAkѱdJ0<ޔzQF5=+U&c~3", f]}VTD7#fl OG5ovҬ-dHu8QvlcU/]'wd,/>[ 2}~C^ FF[Y=Xߒ\!mSٴ`D{A#obUӘRMr=kypy JaOf67Jf? :[fwޑDN_Y?}tP3w;HC'L]F,6z#%4[)Q*B/Yqq_s"Dh%Yǡ+^j>aQ|?4uיy8*%WRGM+EyVâʐ{30zwXh+$q\lN$0̝'[]$ӵh_S{XyB2k@9M՗{m4F00qJ%5$ {JܔoUESt-!XHcҎ]\;+k u趨,ؑujȠ#XgACr:0ʙK7Tm JzHlm[ZmW4CP+ \=YW0:Jb'q][#+~i_{W, &F>*hQ1Aw^0cˍ98XDߞ߃QtPRmNTm V鲐&ⳭֹWf^V:X} ;‰ah'a<7fH>GXk4HHKm)o2-bTty<ΚtED9*4?yШwe<&Ŕ~n4 -6OrFh :y\]lkwn_3`XaܴjFz=p|jb2Up]d! xo$^ ۪Rr q."{oLޤvEyk|l#sꖶSu'u~ls~.bptј`,1="s@p;)Ԗi{Mi@).Ls* @6.,1롞(]mXon4H#0p}hnx @jd^)S]Oa}6鰓#U=)4zF2dḫC5^C`1>$]\|NmW+}|.7cs<u=yI&M0YFax`0gÏ*@jr@"2hQ˿&I@oĒ AI/idQݢؔKt"LۧcՔ%7ziܣ4i Ūd1Sl؊h†zJr&)l*ӽq$;7aBLy=&jQ0 _Ϭ`w咔=0IEws{)ym8ss]ysovO=A,7T̨k eQERQ+ìv]a0ijNCW=#DN킽RS,·G~;AZGU*fEwr.p2Z5JBb/[2mQ%B? l!O.lhi#aa1Bu_-yt7eQHM4M|Fld4l>q~m9HSXN[/ҋBHR5~uM^wNJw1g̷MlD$e_0ԵEcRڡȄGi,1/pF&"{p7z!E?$y4zQ Pi2}-1>hdO:$ߜFX DHޭIOM7س &%7D6v.6N,yWa&y` 1FlK"-uNI9Irym398`#.jA(B!/Y'\]{h143ǂ.Ly C˝|sKSwc(_P\F iLVɣ{ݢ +PosߚJ4'xn9x,:a.ȜXrI"tR. [ۻVTs!C-fs $NQ{>99\~鑻Kzh6EzΠh7zx4oM?LI(n-;sp¹sj a&Q^.}c!P`U*Ҝt1WQf]9~✻ԧ%N"ƷvTPORmK4YRWGhuͼ; j'gA.=jؤQ } r涾#G92 (t*c(y?-z3?zUX R2K2#Pm3]Q\껣FKg^qa%no9iYE-W 9?ZxR0@UsZ'Au=g@qzB/;kNDcUT )&nu$7Q7% ̵wo8Ko;èFklHY$X(ڹ 601CJTjE8-4VI*p]G`T9 oPԘ<#E']aBQ?:MBg<2Pa$[C?HOĿg2:QU@T3E7 q"m(r¶BcI%@J7D3՛Ca&H,Y C*Mj|AYsxxuҶw/=1t M\W85ɥHG3``N#~ʂ`V׉{j?\-ĸ 2 zL}9Dx 7{TaTT4\yɋ31BFr!t^Q͖W{P#YGlxO8۰CmyMFqqV*b([ch-/b_Ji4v6>ybA~::| d„KbJ``׈R,]iWǻ0G8!PZQ}%HP\+F /5U-XYLD5}Ӂnt etj z\˝r:xAw1 5_e'Đ>'/rcvڨh /ab+ E'b_\^ dPNq n27OLMOj"vHT ;eīN,u#!<+߫-#xKS1~mM^wT~inYԙ ?Pp6[Q5`RNq!ŶWG|U䏈qNtR3Av~GLßj 0W(hwP27z010+}֍6qI&ZtF7'ЎQV L~Ӎ[gIIo 5ƺMc3AL]0gLs" vM.(l82lA,,ƅ#mkGJYۊb?Ťmg (KU~:z|e%B:gA٨m/$Z99&Q$0nt9 Ϗ@yD~g W5ǻEqoH ~[B)w5~ .Eu@=ׂ}LPZ=Oo%7y_Z>eS[P%"N|R[d <8DnSie>8aat{ud=3͠CIgĮOV(di/,f,spCĂ"@~vYv̸Sn~%Nsc倍.g-N0d~wYԫQWK#8b+ZnQjy" %t:k7{6_ޚU>P1NwKb]룪ߦq_MΗ.PSĒOYihyiė7L^#Qc!$igL;fۈRV3q$4/F? 1Dk0& w%bh S| CqϪҍ7AoxY<^Yg}ς< U2L@y3K{ ZϹR1>#A-J`eyaڳ#kh j~n|~U0L^}St~I?%l+7Ztw]pí9 R>+|YWy ݽ܇I?^o? ح@H:C^]`L7]KXDM ^vyw{ 82dG*&wQ#W? 9Y}E.l]OB Tqʀ7aM6"0G$c@47Xbl%p'l#07qA(<ˑMra6eғR)_]vudlH$-8tZ~A.qzIc⪹n% Q :\:ӝ.6Ml?Ɔ<=x@g]4Z,"\PM5n?xd &Dp,#ٯ>yD1uӦyȾ7X!nȬ,/lY?!lRlSy}9@%3GȪ.RnZKv˭6\@ "/iu@ 3YAkW2rhle<(y"2VZDNAQ(uEj ;ohq4 , |˂W e/PqK~WڍD_SΒBv|E lqXr–T Z&|u4* d ]R2$K0F|>Jd(Ko"-r4ہ7 <^gd8o7zذaWj;ZWא⫡v]h+MT,0w~Q2D>Z۲^Bݴf\=nfc!dPƱbv"# F̂*i7L mRp4CjrlI61JG~;ylLy^b%w-j{W2yDpMx /s;LKӲc;!,0GRAK?kAxT 0{>sx'iKnxhRP5}^Љ(64t.PUYpdH9ңQÔr:'ǙM{y)>& C꘢k.Lμ6Teї2l}E򄀹踅t)=iL1RT0iHڣHh6I @l\m<9zm3:}wW`3:Ail󛯨6 `Qv9^Gha{{껑vnD܌3hV $4">]<"G oxdv_ՑXU\ ,b\1iɯD$DsT1,٪-Zrh3٦q+r[gXrQ݀TmW"ch>Z׹9#λ޴h*' 6lڽ5 WkݠH]%$xKA=HiҞ Z='WWR2_kQ|jtp uEjC خ]m9$#0 G/&W]zh$4FK][\4$GJE@+eA!Z (!Ȋ6oUdʪ 6ٟi;!0FfBV{:UV+5u<(L7M) >@ %8!eTC՝KE ,ұnjT`CF |D`L`1.[d\21F,f#T9oav*-Q!=P+بVbovhOM-B36NTqL1O3⥍xWAB+mJ`d|?ioV&.)Dz4l?Ym' 6/1de.˖aH^+r~.kDt3Kz'<7{fAQD>Qx@luGLSS#NATEg׷*, ۱n>y}]!|h„E!epN۝^g}%I RYC"ʓ!H8WiXГVn+ej:$xgSk(dL`}?v]dF^%E.gebs/gxnuLHd]e0sx(쁃8`cTzkd;0[ FWOAiǘr\ڑ댊*rs$kQo)2[ 'ЅKML}+~~t6ZQ}Zp Cjehv,0Ϻп~qy~}`o|egMǒ{BElTO˽ROA:2J+@gx`#1o)+$qІP ;iv~@l/s$:,LJbCşPw|CSBB1}FftX  TƮu,~uw=CcN09|u眔P"X /TH2s5y*0kg|KaT22~ ? 8j!M#h[ !bG lG7# eL޼$=zt^IcU20͟)Q7n}P;qM Y-]>BR(5+q!̣_YX݂VUBC; }cQO#ӬX0~ˆKLM"lirן~VN~(̺fZXy 9W,ǜ3A~iv9sD(O_i}+0Z~)*~CcX[2eOO^'n^rl#A e -围;3AobTQ>TRhG{xufatʎjcᨷwD,w0F 5nw SCHbB*iu2ݕ\- vy%gܙ2.ig2ې&|qA8n2l%i*-,1z=cw!]WaA[)ش_#ױ>u?U [YTlѕLLih2*RopPɣGPeo9"sfvZ&Fu8Z9ABk94v5qp}Ե{ \qn u.ͨI_ku2ݮgO ÝcG46Nr]SN 8٠"5J'{-1Q,B86ylj,i#V.R`վGN5$ {|z{`{@0bDˉrNUcBHNr"G;x鰭, !1dC%!Z^M$[H2L64}vkаAm됨&@n49.c?hTMq*e+[z^R&.]η#x"va?{!鿼XfM^CG26X7Vf%_ZZ_7VV")@15lol?%/sDհKfx|JzJ>/ҥvs$RbzZk l(j^A$%H![6Ɋ_K{PA7_B]N׳RLNt Nyخcpl9)w Fʫ]l뾥ۈ T3M!;#Js%~AgıÕ1z8r`Se6* HֹZzˏ|D\`)ơ N!{ 6e$ 3^ x+V7ʦ'CyECÁqhbM3Yt]^.V/[1kFˏn_VI=_&#|Scip17Uץ9ܶ`}[#ˎZf9YEn Z92Ux7s?a ^%B& [)OJPe;HLژY Z+Sfՠ8[4 % 3g2k"n}9qts>@ըՇآ<YȒ^U&[h6&[]PAŷ #`[mW`a4ao>;BZ', Vh0FjyVj鞗[w|bj@pMpq`w; }9?LZΎ%Ic<7++lLf☢|-B(?:!<3ag%> (wZ6Nb>'ॿ,OCmClޝ&+uoHtqm+k<̓2=Ό%}>$Kհqʝ,X+-}}{$0NHk>ʦ\pxܒkNMoّt@9!O;:N0$ѮZ]t jp'Dqm" CV`} CͻV`pML2/iAcuĨ>_ {Ϋz +zJqsQ."0Pq>qɜAaFvg~ 1sT\ޒ~qǦudZnJx. ^c wz2yU rOKrd i\&y/D\,|:jh Upv?'\n9QWwHCJ`_}y6gWy1kw7[p.UۂlVLA.CDgB,~n81k UAGx9*FxX*Dl4Gd @z6MĄ8}U#" /r)> wt0z7@rޛ>!N93'qИqrny!ókǞ*|`;#б[?TbJ7𧆜81:G+Ƴ`?8'è"9yДngP%cIu]\aVL1bלN>t*Jwz(@Q&N yiu5ʥpw ~)mŴ/@P0rZ6X픹NgBF\ws~ n"@*PB$yE wMK<+(U>QxA}k{'χ<"|ds>|7(GAGvJ#Z?d^ZOEeBwiYMM)'bax2 S G1 ѿ4DUD2eH l2{bQS uzsmi'+^[aޚ=I.upv軞<q)44cŪ8m#|{W 3*v8|R)َ= HK- (Y: HN& ~ƔZ. j ^$SYqB"Ʌ3{B+Nۄ #dJ7QahhpQR݁8'tJ_RHe3rjk_#,:XCS1!2yg͊-^9vYH|m]!3mnt}up{ SHLK2|zxtdP^q:F\\Qf/PiEIm^[6/A9HDhs9ŋ/ۺ9Pqo¤ur$/kD, !yn>Ëq prCsf,&wRpa5wUUNqǗ8yeeYjTwu'M.#L9LVEk*X*p3}穛I]|zAC0S׺ēbY^xhN̑,JŁKB:Ԙ,Ɵ3fly(蝊ek%aԴ(tN5g-VŒ_1Lj)0`MY#|mz9Ptm]]M~ OHShjɦ.WIM8 Q3΄.K.YlVm/4j ;Xc.Ŵqu.w"-ʪqdo83K:()|ͽ۩_.L%t\eh3ĭONނA(x,sH:qC먟|EMrAXZBxrͻ.UI,/cW1ZA(S{ U)r_y]^y\-@bo!׆;)gQkT;'5b[.2^3,g#Ib6#IS1(@5;`n;-[T@<2RmC lK~ wEV(T "^ɉ@VP/0#l Q(e&HQ1 I Ppuq#EQGɚKSctطD/[NC bW-%ÃIqVa#0.i)8/Z}G /2WE;L@D_9mI{jl\S/f4ZȾX6U" W"%L*8ሗZY-#?$hfҫBEɥrs7դ.UvW V:cËF#VCA=~V 8mٸj(< ٭Pb PO>w(?^G񒌷~u3k1@J`f,֌p#slЛEF5th4M¤@[b@EMvƋ   롆c@a`LȘBy]Q[J+7C_oU)Z޼tJ}$EW )َ`S4ϫa0@ds(՜Њ1UeebjMo2&wB2KE%ȔOb](} 掽 #%׻7[!ۄlC|mgcGdu|H8GLthlN] R.!ZJ͸HQFJ;a2p_Ų!W@|V_])5yM7U@X:.MtC,i rɢ K}LjƥF߫'5)a"SRJ`p yW=\r%d9Ei=]_O&BKLp+аVPSZg(̈g `#U,>j*[W=,mFtZlSe _CI6 ZR߸󶨇zQ{=3Ka5uڶ}Q)Ұ,kbKuv Zn}S!`=7Zβvj VR]I̝BPM^퍈,79(#9gGK-ң7v2(d%dkLv-좛Q[p^s"x*]+#([@١g..ca p) -(̈ǂP}*,^Τ`Da-`9SQ@~:,WL+4Z-ۤZԳcvg/d ]H &%.4"H8HS85/6IaޠSvȫ.-G )P^|&SVJioLEҀ4O$C}~qGRv=QDț?kOߨX`]#@:Ȇ]p h$UճVYlOU:9 r jF)fvΓ`?K׶֯Lہ$@M b)OY?S6d'Թxg;ՂyS: ^M{eԡ,:d ACt V߳jsV3$=jVp^CI/e ܅h~E7:ȼM1#|Y޺ywGeVI"7>ժܴ}HHW0 ]+ &s5508xn#G&uǘ X6V>ꀊ)խcSpl:ҔrLy0K^{;Yfi|ֶG',J#7o zS2䗆: . ,l7~̻S^ՠ4aZ!Cπˠ @P|"A1ǓisrauH~Z 'lT U޼ áɹlaw=2'O}%l!j?wmmԊ5[Sڦȩ&go5\a&>L#f]^FT!& ٺ#/d~ VQ(|5$J][t khȮX!$_4JL TOg}4"%3!fP5=5>uɦ@À@B,9 uJWT|RT->r.Yr q/UHl`p*W3/!Sby3F;ly#En;pLnNhӉ?%P*,.naJyqS_$,cCMk!JPR.qAWs:Li zAfm_Vd9$!4ķG6§쾥H*wDx9 ޢO\3B%zZbi݀c 9Ԏw؀]~HN> ᎼK4єui zǧ@oAHSQQ+)+RWZ8YiĖ@ ͶfL){SN4Ϻ#4g8K=O{mxΘw3N |N%yI[\9  S"&PYZܒ HNhTHaJ:$W3)ރ.۶?_ɽ>^XP@Xw41Zu >K6h7puXVMg`P\ U0,+|݁E":f=,5a@0fv_pd5qR4ǧg)kq)#V$^?A9'C'cR(z_nNP K 'MNP>/?'5[ y1vϖGjqy,#,. 6q[PlbQnÓftB($ZṸ^ڇK;8lw(䍪^BQ]A $xЁ,)SaMt9 SIHEfX(S-{KѽL[BDgi5LrDcP}U}G܋>?&SbnKiy)[ ‹ l]r./R+ J;8b ԥ)' C\V"j@8g\+eP1TeדKa@(.o<ێDz :DjH 5 Xr늧skG j ՘8 R(_JeP8trǡkR='b>3W}SŌ?)c=HAgy/19nq/f"x4m1ɣ-@etJ6_“<%bd^db֚T9;CM&(\MDDXhN㎎gB b'$tFsf9}aW 0\yr5ρ KNyHuLzCR4D~.K(g0_Ms<> OTDQmWT롫$)-_ X$*sk#"aoG"OI_äNm랾bhܙ܊ LDES LjI +W_ߝP\]و2Q+$ Ư'g3.ab$tp]![M"HQÎw4xC77t8|+F%\2LMǾߡhH=G߫`4G<&H@c]6 uNu 3\3<Aۏ{W>iŒx 9XEn×|@RٟFsG9Fh֭dh: 11zqƏXr<%p=gMr]9􊰞&TDR=TWԈvզfԄmt]?-IqNS@,^G"IyO7֘t&T14l|&H~7w%9RV7B7@CDIr,!r Qz-;eӅ : k][:EpBIm 0W yL" 剉 LWYJx5P>[k{,&u*@-H>9 WorD5끹c"ӧD2C+>y8{D q1氚0H!~oӀuQZ cR-X?8N@PW5θMi'A;M9ۻC~iK'aعl_lwHRwhJsx : FaN[ì+q{;k4ߐqȊq3/;0!S#r9 n H )PAƹ,Keڱ9?bXt t0b=3Η#кe6Y{?T q3fA(A) 9헩ܤtzdhbߠu*a4YF~[P bP*9f\2Y.Ч>;^_ c`fKj_;-HlXo_^SBjB(ŋ22aMB @1Нw} ȜAOɒ ~,6-pEe< w=rt7%wlߪoxJ2P-NP*^3î_'^"ƍ"*52"de%9-C b!Vp Xw@bTHM Q`hS17.pY/b3;DHx/zvaN)^2'e@Ԡ=˯XO[M*'* m21jSqGf>i{6;q|Tof׬nJ'fnVõ.=c $&L))N6D<+9}h,=FSL%VDž(Ǚ1yBe`>d:H1<;4^1*D7i'HrQe^x">_1H7S!}S󗘵$~83?RCW!*CdH%Lj2XbOϒxChoPɛǴ;5pOtK{$!{=t(^i)LGbUl< *#0r\mӠ2!zH1X""b"`>>8weׅbfm5&RuդѠcC!{{9'Go3hTB@Hj+ l`uR2~!eu|dY"$IIZ[ز4sO] uyD%Yavf7>$7w_`fxqO6P 5un@e܏hls\}bGHL%2OR Xzڳ!<:,MŰD]r0qXV>`D4qH;VrfH"™ `J-NGjWf A)A,ABW5:Cm.K\!1Q1YS??Wp/@̷bpYbN{`}W NLD?yX i R˜E3ͩ`@W=i䳢òЧ(&t {T#&Hf/d-p$Nsao5(M&Ǘxх,Ӗ;(a"D5"Gb- _qK i._`"P #(@a`=4љY-ts}^ِŮ\Pk-:A .S<%X:hw cpS| C_*FF5RI0=C#\$1JUG>ft$c@OP9ǩby?I]i>7WOQy{9[,˔ֲ{_\^`ضhRPdd)I) N Ή^u6h3<\]n_g٦!+qWHn|ɝ?q&T[д-Dua >y0W8I)]S`̠!MIy`s]K!CH]u{.+; D!ZsRpa|:ud(7!J""|)k h {uh-|KAе.@5)=,uG(k CH!ܮ~H;ݮ~}o8nt] V<>Ta4Oq_pԇ-oK{ʡGzeNs˧^뙜}̈́RM*aI9@dbdѿ}JD(9azߠ2?y5*=.cR)A6w@x  iH $ f`?Ht@=D'Pj)N#pAr>w"Q- gORUaw:hcC qay1r8JԢNa|XA09h-4!!ÿQhdX^Zk8iy צ p"wpl%ޗu0yIğD9]a(Z it@tz>Avw.1f @D65UԗہQf' jtwDˢ.&|SD ZNn+~Hj{9n:or=$ 7ya[|ˀjqbZ{meH}?2tVSωċ62%SXUQ<"I | F2+ypP=I=x+eX1 os6`WL-͹cc@b#mePPI󋜫9?bo 8k|o?}dʑ/I&ߦB-uwS6@)lkJWKtD&q\ٗ%f9猳&EdH!qQ1uGA~I0emuzt]B&>Ďy oer:nF/, M!Hk'9X $iQFkvrĶ[ȓ}x >bfEKoia1+Sd_ދEyY/xd%t?V;ⲯ;g]=m _b٘-oTFV8Ap)I@O y*j>ѡ~6͂2yH쑫 {̹3 Ԃ$t ?јFIv%ng VE$-x /v$dǣG/Ӡ@ K0\[)d*~jycF N0#=d:8L8߰$@ظG"od֨)X JE(,C /-YHj)hSme)̀fC Oc=ZM6fQnUTT9)S0K}'V\ kaZDwhrWxUKh@'TS]2`߈M@c]'⯝t6>|xDAQYi-kS{#fb ,: ɏՇ1Qcvu.ʡ"(o~lA5QΪ & OUQ)'!9 7ez,*f6qW0|'Ual[igkc|3Ot|NXJrNroj-.UO/,de Gg (>tcOضnNf4':ɀ Zw $US^g;y.;*AUte :ȭLZ1)ξd׶xJy`rROaƬA&(]ޏdԨI0!".҇ ZüwJA]7 鳖N70 |<+,(j !,^K烥hUM). ,不H>|nk9FҎ. -ǮjI֟+c~waGqyv}G} ] SQ^Q(D9~x$bU1caRDm"pR1Q}&6^-MiG fo`M֋7% {H}liiE`iCM3X ),K& $ 4Z$b,'e5pvI&j+"19^ӎ1Ɗ(Kw\{T D͒Xʫ\̀#ay7ve N7 F.KjzQMDm'HqBbVkW} 8)L ' Jogh )C]賬|^#Wt윃|7B܋ S,:wQiiyQO)<0DZV Dlo`[iQNI=p^ǾFAJG?+]$N0S|cBOUEޠKu`gt;!&Qz=6N??͛ haPg79!@(iYif80VVW+;+ ]-.' p)*N=? ~w::'$`.YN/~K[s8NVqhwYͱ܋&L24)kB#lZE>{ϴ6][b'BL'_ﯼ EϱjW.ogv2xq%pOTYh̸r&@a . I$kSTwBKrԞD \BJa2\=P(}M w@ʘX4-lҋؽV''hcF9'G) J+89PI'cZv'}os nR{(f" fX7;Ds&|d 1e^^vEt e Ͳw:^T9ZA}qrW`xdoE D*fZ^34^ceޜropj8y/)NeSհsϔ֥D,'ًoz;bZh#$n+E_/ujwPRLh1{5Wɟ 98(>)@&;ES2Z.r7~R$$85ӆ#8廚A!Ww :gLngD6֫CCauy/.ʕ3 u7ױ1}$\.Kєֵb} J@GEK4vJON`2hz5>Rk7Z~-9(faCGfVTlp sQßYXԀE)p&ރ/yK 4a ^WtI]KqO֧;U31<&pHw6=mkjU;  l04t8$B{zx?+ge~G PC\I `4!;֜ǕJ 2,lZ &Ep3̞UӸY1ܲyOpe]tC uSS-X~Hq]r]l"<[5$ĔY3vC* hn%% }u :!pw8s'ٜk39OB:/?0E!b"IJ`S[v-%$+UC5oNbM$/_K2x]Xs&ħzgMu187+Y$zI}wR=n$XvWEKWSmϿk \EY$'-p60+L׫vVm0g ankruh B m +AoJڲ0vsdH1ɲ *ݯ'Jk_M 15ƙ (kH`/R!=w~lr4$u\h}Z4C붦A~>6QTOy4c cG$h7}iC 7ngPډ|ۄ_ƚ7qXJOx؎\NA3 ) 㶩N1* 䓶/DXS\MbxB3ـ]07 F?-eAߔ\OxPj4"n: NYO(PM_o0fy&lI A4 ޙ=NkI GA\Uq1bSPxSkZmi:0T`_aaDD -й@(OW6'\WG'F#kp_& Ya]PB3ZPX{Ԏ X0vB d}Yf?ydP SvW1?C-wMܯWUy0xJ9$O źlSILΛ挊LJEOQIkD548šq{N\'ܼ+[,s(ඡp=Y~K>qzC_TcRl wZ1ݘ8,=KK$C)0 ͭUA.bm\fC"\m͒n4ptHC c&=,XQl ܋S Uuj5 ݞ@`C@hETbqcId{[Jj 4C(qR)~" 6ȳ9 er&Eh4~ ?NRuÑĸ`$;(Y!ۃ䴢m/s@\o9tXEx3s w1+6<UIN3U˥X~Ñȼ!:ΡG-TayXw;39so'ZΧK!\o _o=nW9&DyVW C[˩8F~,/_v[J bqNBL ژ©l_.G=]xčJ][6 G' fWC|ʰI.G)8*У0$2[ ꃩ\^wOĶ@Bwt"3O'>W9N&$2]zXx "hw>HiTOlU0Z'hbDhCiKWycR?JPBUYST?7;-WFRI:ҕ CB^I_ 1AE1Ǵ H~.͞'ź(=BvM[KH./{neP ҙVPlo%Pd9J{+x۶o5$[4Gv!nɗ>Gxd*Q+AhB'7[ӝ+ IDz17|'>!v-JAxk:5Jf74Fה^OХ&\d;Ϭ3BոFa H\#όfv2HN\[&d ځ[*a?,5D%B[\zhL ^ٵA2G͎ǵnWE6&s7wGTloU-G[];߄5(T3}@ޢ1ŀ;l)!"g\w2ѯK85оgB' F_cyutw9 {eVYar5< i.BG﯏1 .*kUrBmwbcϮT*}i4+ƞh_O=`d`"X3%7Vu.w ׌#*g@i75)4S/ 䣋pxB(EB Q$gf* QmZp?:%|U<$w&Oc ~V;\Yzdo5^  q]Vj?\e I;]mP qNQg '|H.}U2qמLթk+:%01rTbUcpwܶ(RM_~`T\ EԞv]| N, ޽Y(Ŝ(F/i qdge6g|e.&ó .Я*DySo-ѥi5Es&8._ QLvO!'E'U;^Nbvh@6<˳0`+K?ҦGjK`(!8I gax,'_nh7Wt|}a\8пT.uHVaꞸAw2ޚY #H]@:r C0k߅t(\<hFF鑧6a7j[\M-;~˪$ g[@ݩdFNG}Nu¨6m+s[ʒ@T#4!ů5J!uu̍.kKv-/% 맆C|4~u;g7=Ӿ?Wz6rE9B h)3x4y2vK 08 od/47vǷ/1kAnm#կa7$K=v Z[]?ϟ2G ^~iތr2rri&m$䬵'XcrKfRPDwACq[Wc* l&>dT>ûX[ M~g\*҄ͻ\=! 4{UhQ 3əs>\MZ>+L듼5wR֒ s[B$¸ȂӋӧįvs: y,%h{/`$׌549f0|Pğdi/JTD@!OXEښt̩CrcƯr|L7(x%F퐶.'x]k_IL25Yw&(Di~?R k/u<ߧ"4?B%a'[rmڡ‹?MWFi~[>v˔ ٛQ;[].h`AnԵ8_p͞e^Q̨u^%|} RH^=_%Wf>9佼'O*hB2.p emNvPB U ߲'E@dtFRq> ܚ *OMt0i*w e_$)Ă }'KvƠ\ƥ^'ZQCY"-rۮ98'BKgΓE;SB$(UQK9l#4M?O: Oe}Ǹ1 xFZE$10xy8nփKXà^pp{n!Ss*~|tQZ]YԴ<G%+}MoʈIvO6`]uam/`~q gYvo.- xR!=퇓P]PcXf%dKeW>>nvvm◯uZAB(P]}eȻ f&P-DgLKc;Jb BOm?ct)/.oB:gO\kMo؁㧰9-](9 (nQի9?l pWcQ7@XXO6+HCq %h|o ~6v@h՟[t#bFQ,Qj4p":z  *bֽI=EutX(3݆-poI;ڏy qLM'l4$:ƒ}guHTd넃5t\`L@˹P*An['&$gw<҄[-Jb@&h&ճu6LrN!Kqo<^ijLkj]./y+eX!~,jw=9N{΄v1|*vOn+yCcq$–2wY_UW`V&Q &veAp2S랡^ B 1` )ʠMdtUqFBVA,=ETMʁiF=|%%j`xjS(\S\U4>#EiCK!kM'Du&xG #!8qPO27>3/2[=1[N3O/jHOXK+)%4իwD9wX1[fk׬ZRhk|cل%l-I<ͫ) +h` Mc "ʀKb|F>|2Jo::CxW b!>6#dǶnTvȐS4 | <D^?w.WV\`n)R k_/*u~fÆa"&`%9,Tp 4"sVBW Bbg+aMǁHkk{$h rm֮8cp`Ҳ#*Sٍ3/ }ðxgTRiܴ5FIC\.yIa ӬH}Re_-m=*DP8oͰ&V~!g" 1\"=+ZZQ@=Vh6NGHj' #wp%>U&^́* cxM%w&fCv{ReF bLX P ԭKMC[(JZ"qJ#ijȪ(Β^.A$&m4Ke#s .~BLnvfa!^(ݿpф-V3Zry]p5Ӯ@D? fm*ƺHAwTBcciF3uNwYCO)ib<ԟPZ~1F!a0:ȮWz1*XX9 *璤mS~uHQr=IO԰"Ty41Ztor?Dd'˟ǒ7HrkWr;<ʩvó5FW3ɴ"Ysk#SssRc=0TaOvIïf+̩FF7CངphX[m1dwqPgƝ'LWBM:wXJL_4 %9Z_>L}]ˌ`YuMlE#*D#Rׁ!*H>t `omjTYZsr#8:j[x2&e|Q~tGkkEgV0Ŧopk1۩} +,ɋZi$ Py} ^J5LR]4\x-7lEd@IJ^Ӌb a 5r0d2?o%2%9^֬*  kT$ :o)g:=o`$@_^yz`s3PW ы3JRIÓ`rN#J7M99|Y筺8<0Lt6yT]| ڡ@iy77U[t-T/ ˩^2X(`$ZB!)ʗII?[ϡ/ص.$ aܨ+i\ /ܝd%M[1dYȂJU\2.?<',:Qz8HB: y~77b\spQG"v!0bҎXykOo32Os^3`a3:ܼKlJǗ2/E+/  u(f&z䤶ODnք9%LBI vBàF0|ERp]HF-c6 ^qe@ NV B+0b'EVg<{<}9k\4RT/TyГ"xmyaGHg6NO|-z{˪,g_!crl24.œr,4oFkqu(uO}Z%!`ݭSo&潞@0rVp;r?5 @[]dTI}ҷ..%|9 &Q|3\",5·gB{D"Z0I'GS`r }K{(=L)gVWnݔ6LH=[Aؼ x=)8')nm5f"f6$S?7[K#`3xwJB"߹E=f?5nu"4 F3`C,TkK2{3MFbiJH@P24yr}xj7P=#"g)kf.Qw9m8dPiK#EPdAg+O7w ;3ۏj2e7FGͬ~} ܦ)i\ez1Ф}nP`SN4Z(`G@ z=Qy;S{ _P꬞spuq˞tc [&7V,7Mw=~N+3;SKQi2τrG~͎GۡuI(}6NUz-1xBO՞1UtX12׹.ۢt< "9|5Uz7!Z=#6顃e޲7ŞT===#lqlQ$y+X#Ac @?$^WG-tλK`D>"jNhkAE)6q{ .7=N~왔,;9>%C)B@%lU5ر\9lM]Zq9eq0/HT}0Th'аZff͡U &.P?6 fU{fmCvCӊ4?`ECYp2+4 Xu$<"X iX+@pQ7 .'J(snҨ\THn亷"F.f? Y\n L(IΝP0,rkx<4ߠQZTc[q܂q $ q6~X ug/&,pR`-޶ye\n' .Ý;u{pxSǤ꼯 t@p;^ՐLK@?WTQۙŢ(&<_O{o>)x)N1HAd"2] 2!RxC ^zQqBsB|Zk(i[Xn*nvJ)&dQ #4LYTznQQwYX9LJ~cc>HmzaV*C91 @>HAȬ3)*0??K!:hUTzݻaPdӐU6L@/.^_._>|}@ Cf@ ͡r^hcbKM&6@ga/yVcӁ d^m@pg+JWf0;D 8Iř`\ x(飌r2=_gs*̵'@ T7w-:t KQG5w<&rMf_J GKǧ`b!X,תFCH{HaE-x8*D#FW9V LRVw3@r5=S.*\D_p/w˰̈>RFdS<`׃KV} A_Dr0`Q VLm ?M$O.8+aJw52 fԫdfaNL#F[ HplB-9͢ Y*/-`}tL ]rP}-?h jiD:@d_Aݭ#,'κt1P7Qt^?st鍋r+w(m9:OI6PːGxpE"5`x>r[mgO'G*ܕ!_ܐj:]F=:F ">11-/'TN١oe */Ys+Pڀ|좏2dZY hvD`"eͮj?[ʩbgR :yt; `+̿Ȕ%1<"x}%ObdOo #)/(4$ĘC)W&". !BW=,yAZ%T$KC/p؞1ΪD.Xa\z*ljֽ+5rR4h?ǦޱKP&UdAzxH%D7nl㿛D#5 8v@9wqo~'z`ZhȚ~qmz=MIάƍmsDic+齙Ie679qfvrRP@n዗}O?O,b3pz8G5uie!eh?$hւ3m>eC\@w-N\ E;1YOXT:>$+WjwW5Z[(LXOo7r Δ6ԛr GKAX8皈'ٸ7P=k\ԏn~aQ?vlkYTPIaƥiNwԺ(lk_p6n4=סZI2k6+ ߺR 'K0 !9bH[ţ ?WhH?bȻv}JZq{~H3C}8""Lmt&[lv ѪP1Ylu,ق솿Nx2_T2UPʟJD`x ۛKU/z*2&۲U3G~P;9RL|lBBPQ6Xh큨77BUq[0pA,iR\4uQ,i҉M:)zY6hZ &xi@Wn+XFP$&_Mþvq+ 8{."Q 7l2:wF2-u 2-H1nUR6glm n\;a=awkQ~ymmqJ/^ 0O!⇦MUbc \@O 0ˇI+ D^ml1NbSlGZ,)86掸S $Cp}0ƝbI/JtF :-#V_GCQ I7zH Yͷ-܇]N߿Dz>h3tls)τqzĪHsomPWJ@J9w9?P?sLp2] %a4Yb,V8Kr p~zh@2V3&BXp853‰߈RsvA΃ga0rb"TqnmQo + V(UvO?.8\Q5i+~\j\AQ򨡞 nG%~) XG *ۻ ލYs\7 {>j".\xjDe= L"]]%Vrc;5NVP'9TI0ϣb. pRJ^IKfROoc\^g#$|f]p;q2F/ V&ra-\c(&tYdz/f0uhޠ Cki_ \훷ʦy e cv0&AxOy\3`J^ =f2 Ah PKg8TӔރ:&+{cg39a.(E y{b4eT>|Vܭ#~&;aRov3N0^Z!? L℡ 4^xji¸uU~KW9auSΪZ"o5[vEFm`sB8sni>6|u_BYN=kr cG:l´C7&9cH]A;:Bp ӦtT2 0lRm\##Cހ33-E-:Kq!YǙgo-ݟI'!M'tR05 5f\S&C[fYgx=VS&`֖fn5xZ/ >RK5ONT8i; Ot䊈w0#/aQjReɭQ_~p,{)+6 ~WyU`m̳TE͂"jR_7Րƥ#D=όط3"%䌺@{lm_NKJȟ❉{oo .b.pl+(>@9;{(@}4G o  \$Oj;V(\O(e2@2*d,ƒj6yW:EubqYkl/)&4zV!`?pRWaf<_y>]+LXRGVoL87MxTߞsqX%~c^Հ0-y{@SW[aƆJJ_bC0L8g-Dۖ:|助-V-lpWJ 1j i1w@-pua`~ }!頸q(75?X`Y˪ȶC7n^M>ӧ M4Z_Nwt"fg57QťT~ڮS!:01.! Ļ࿀F2jL GS{v?Š͂jwxw~H$T@WGp5=KkFʞYn3T,o`YpnD@U9KmU$9|ɅA$V4o\ @/к fӔ~O Ȃ{5F}VԀ4>Rt! DIR&UV@ᣎ|jyX)K^9*0"w/]_^Ff]]QD=68 5moM-mё f&EkC~GaqV(I,ѐ;5YsM{xrC]#(VOs4.K=di-epX/V[N9)xi;Y|ITnʝdWRAw䰕r&"86q >In]O^*x|b b=XRv`a~ ͝Ca^P% KǷOi%n"xs!F}ThG bd?x=b#/3+ ގb <e*Ui4ȻjsF'Ҟ%Yˈv O>0|Z x1/RCK#C:Q Aٜ2 i ;!:sb=iQ/b&U=5uiey3cѬZYxkGND 0 ill/dHtFsdKKR= ND-ݣd??5nrUFl0V{9!a1oqqN;#TO!kc8`֔Kx,2t[Ӽ3lGٔݝP@-ԨI1N#,br~>L?S"r8VtXg?@6sTxTM,֮jKJZNlxooͧ[qU x19̘ƪlW yM/V[ZLl٫$`qC"Q}]`Ut}-xsbdNcE tS͵A-a<t]uMSOM-4Qٓ!h>0K;,zfnL:*Ԙ g%hĦl.23*c.&ú-D: aѝ -A(Q Z!C]~FL0-f1# b*'W9+4VɷS`%{Dc#Qoug@=} 6bOe(B=C^}F2?siǾP|"أaz͞1}~ G;B!V:- բ>}3(V^ծY|4N MiH IME@M]_ -;8 D$rTTISݞ~& iaٟ}*Mn}c?$a<"O (m.UVr-!Qjص` 5N=qFщRNCϥv*.!WlRAj2zBlp/BO>Ue k`Ɗ|5,~xWvTWn]!dadJmdn?Rn23KŔyq?J)>1Nɹٳy*ƾg:C<4AuO9Hq0η4d`(J'cuIce  lBcĒaotP&S FDfڌ[9ek.a|Mh^r1yV:{F ָ`cE6܇^MMx;clȅ 1[.ѹB+?S{*fI5̋8N+!% 7;|<1.]sdIF]w&|e| e;zV~S@).nL()0֥7:-~!̙b{^z^8H@˂h>i+6+X<㔤6I;nPt,Um+C;;Bugwm1]+MǣãV! 8MJ9G!T?ٝ7]ͥq[yۗć^٘F*abCOVPISΛq^:6iN;nbd'ՅD9zڷiv+`V,O?!]D+\/ !:uqsG|CV @Y{ cx~HЬ3aX!*!ex7ӾZHHfZS -AF6W.-F:vnV󥠑/j#CJց* dХ:-PVk/T518r$;h{:6L< "m%79V4vF1`tzO cd=ɔ V4nP=̶ƉP/\DS:[p:&BVj|Xד~f+l;Zk y`cp2EW𪟽uJ%2v:s#O:ABP0xP Yq[EYޱ }m,fݵz*T4@J$vۺwld뤆l ƣנKټ E|eB/rs]Ň)B=AJ" mEG.!|8X]S_Hجڇ A87 5} ny5B#/~4!6bBQ^ċN"8؅Qlk @7 pA.J9萇k<^L+\t69sL5]t66&Tx Ȣr&hvTd|8q˭m2%ņ=|z<*R;Z jhzf }p)ʺ@9:@kE, o,>bbzzQ|R9Y4ƃ} _qN `Ñug)۬A5ThUR/(kw\&$XZ|3/mz{__X!HuS-2P}Ԕ͹{RTk#UM+hNM>X\U-lRSӿTbC1As  Z]VݡDWR- 3)|݄9^"RMsO=|6DBCQ"^01b*ƕL)RT>'G#03J֋; 5D4\6<l)F:u}.I >ňjmwEaš|W1PQ$ke("O8NA$abV@~B\^|97vI=. 2&@ d` v^3H}SGo_24CZdMf֤ :R?ohf ۣmtBރ瞇_&ZK v3+/7y: )RaҮ7އ:׶GE?G2+ C< J5K`h Q!őRLK&vr] #V &?Go(oR0OH2PrI~ٻx1_C`b55= noI`;SPu ]6|Vm4Jch%' ]t5+_BhepF30X?_Y**p2"(df%oH*(ǬUO &a|}N0Hoy3fO.z+szˆKv]W xvnaDŽ)qP5k~\VgCI^CL0"%nY?U_CXeoǭ{߶\$vRyhAT&P/+IbﭼYڸyR_ ]ܣw'C;2Ndd65A,O󉋅;ѝL HT^ ^qUS.#Xi"ĮLH4̈ G]NT+%DtJJf [?|L9 , D: .!%.„OIGV5wn@8N܅NO|UVvF.H |*Ȝ#2%X m<^+O㦴ͺxt{b?y.Z4D>aG# &Ϋj%e=-St_[AfXka! ^BlSٮQē{8r!neC&S"*S]G{ v讹Suk1?Zb+&0hx39F"? 9ʽSj8ג cFf\3SzX_3eo]&V1<{;Dsj8gycz$yqX't  Yw[u{wF&kY "qzCpDK<82lv9/D(qP~?k!oHJTfK8 cfH')2>{~a]ySc8%7Agp! t%y/Wp%][yy󊾲Z4R#P\ ˅I@ˡJ.C"GVry[s?́r9G˕pw #pz|cvHAB"v)ɡJ~iNPC a} <+й~m$R 7ĜEq(aѾ+~vܥd/j׉RWV10\YY(BM Cw@]V1ӓ< f8EcYR5B3"ج*PIi-׊xO\ZpXQ/AY-w6ov뤒ΆbApn=k XRӒxnql5$ٮG1SSz D}kOKLPπĎ|Ĭ/[w\HLW_%o0q.<2f!Ք1Ol>@P?B)85DwX;J@+lxn&;;/?BA"NEfhF0nZ;xUH2(X," լ~OMR': V8o?qaG>ޭ%^'2U`l#-i/B [2&ѬB?јpM4? ~eyQJH9r"t_kyD+/ ;qb))p.U]]m/75\t"OQkN'֛-){X\4{C^^ FL aOu*m/yqB^us.sS.C4KBKl=ds85^N㮮@=BX!(HVj>0pwt h-ؘyE []f ¯uRnHj9T&j'k4>*)jM/2MzZkV";VszCNt8@??Gk-tW]ޟzg 4~="X5Apbso[TH0R:ZZqEQ3@ittra2Aſϕ0ۚk5jӢpFQYI3>I r/2r L>ѿZH.1()x˵oF]9\җОJR\_ͼCw+2EwKp#- al~ 6%1 XDI6/ 2RrIK?:s>lflP**LUQ6`b YXuwX.sݢc/6b{Y7n,*Ja 4dXXf6OeG ܆ٴ1uZֈYyCi+?&`~O$Hg ,gۏ*DݩH.Ab5 }~[7`Kfsvar +@_reyiq -ex$Tp+uk`03&Np>U_V!Љf ~Xsm[dN/dE ;3T[Iej((Ǐnc peX|g7*.xㇳݨ;ޑpBMPfOUw:$/fw𚮙zOzdx ٮ6NV> *`yjM`{AúI-jcZ#%58G<)ɕ5<],Ϋ TW;OkW>/ݒ">vW4Z57N>R)V#=jtDASa(4ubJ r^|MJ"ǿ. 4Hګ^q7ACJ&k'<@ĻeQɿ->4 A^' EZ\2dV3ŷ \!b6ǹ$K.Ӹ>:{H30{LxJ.BŽ @h/7{m [D1 Ћ-^o"HRԶb;}5-Ηn]AzK㑢{J=&N|{c㗑 59߸_;zO ~[5ھ})Znz10h;qw mZJi}VdAJ5~\C6dusٻ㏴'s~=MEZsL1ecw[{`@Eoˈ8:%ZA)0/(rr vB|B<\C"" g"ڜp`E1b+/ܬXU6O`e>tBt}:k̠ LyUFr^WUu/Y1@ķщӅ Ki=i*(b_oHd =z91Jyrv$h.Uf$YYTSj?θrK 9;;`iҡ)=V]2m v`\u`A"C@_AA#rȏݲab!/`4~WS%)-ŝfS(oD$ٔ.ߓ}AOE ݴ:^w~~{M|11))? v?ol._@*W~MXd%)Zm|p*ey` {Gw<_h_2|.Jͼ_T3V`lNgo+֓wN0P"6ER|?0GU^vߡJD8ȵ7VFA+Ҙy'E^ZiJtAhI['Hy@SOI$/[| Ĥf:t^}kC^]o5Lv^k0>a^YM{Я:'[HR-$ea#<*`vtӴ(Ɓ`eo[i1cfֹ&-٢17' p5mO3DQImQIJ7~ZWYAx"s s2cKUS8Ā_#"+QTqubIP^Tp55D{tXN΅~$ eLa E'`p};I=6,#~kIQ3ڋ`]YSm 4Fx3$k "P(K46Es=Utv/=!vӻ\$4X.ˮv705 hEdAo茆>-jkaQGpgZԥN{c=15o]lh[g1.T>ɥzgˬeykvr×ҩWyAks~>\7nIgv0h@y7LTi/^cl=ϒ\ݟ(zds$='ݏ \S~PuϏ1mB`vˌ,<ՠZ?8HQJt*ٹao cr;%PUk#hu S՗b]%y@miDw3r+39XNlb2 dJ̉jw(IoF/H}qɼ7EJ:sSGC(WT1Vҡ]~vmE]STY'8;Y~0s3Nt yp];,nKZNъ*[\Dc"HO2&{x{'Wn_ yH3@:>&/[$u2 1%~Wd,VYXi+,'?^64Sٟx7V'K1p7 sgGI$ܽyqM?1ĸt?dKKv*#^˧qvI+/T]D&ezg@/IA7f.@<%_yjF~KۻlbbhE,-%OTSO;'Ht?DT֝[% QR K,ڜ{T: Z^"|dk>ւ5Ku䣛4}h@0_f@{+mL(]LdBq0~lGM8SܬHr֭5C#44 Ӧ栌gk'É VuAa~lZK6$L ,ʌ:+c3`5Q2T@A R{5+aw ETV&EKH.NG:ax'/+N/<m<YZiFI3k꽌[~jpF^UL.{ʄ<^Y*S:$i7C,/UگQ$iW5AD$3-4;@)~#87q$*bJ ."*BzZB̖EH ߼H"$7"K)U-w7&Uڈfm8,1F{@"bsNTz\9bGF "\Z!P.QS vó %hp)=.n#к*!hC܋N~<ó"lb, f G:Ot0AX qoOy1T,ItnJӄ4\h! ora)\)`z#@8s#8)my9=\*Ӎz\<5&:'D(KX" @y)DQϧ~Џ}T>jٕ&!2G5M%}NS?xuoWUzP^rqA*%ٷ}` ..+ia7 Xp->[v .9( TygFTԿyV~lS_zm뎏ycsCSP ('?٭Ft wy6l 'UtSt H: s]gtS kΨxfbfGEM}Cxd#k2kE} ůy%JTKz=4=RH!Ky{s2X谱6|OGY陆ؑ\"aS㑃Y)/C?;olȑĭNk:yIO#32d00&=\Zl9섽U#RcV 2l!n< ӟWϬh{k ˸;^qѽiSg"3 ,в.8pGiRb7-s8bwͭ!Ԥ (3-M"']\ 9k_L,eM=K XS/f['oyƽq(XHѧ:6;yL pBV"vwdYRWa=vnV_CNJ/[=8C?l 0jk5hѯhǛjq 7adAa?A4ɵ$&h=W`\} L.h?2o`""Ǝ뎆#$\$d1W{篱+lcIߒlp@aBHykF'~^3['́$ȝtY (6ÑB 1@B*A,';VѢ44FR|ll tFeyOsj8{}aDˍ-C&Ć+f [D&x*@bf/zمW!^>v]{,( ^Bq&IF'awu[[Jً1>y (.EV|#o P9Qk srxCWK4gl{i:=אE's79&'!Z|\ޞ;Og'(;bs:L%Z2qWji1 'K"}t@^3_}֕hB[BH_ŁZ!}"X}%.3b#'WDcW^UgP< vrfz$Ɯ[ gнBaTQ?sHR~pXJX;;^@ll YH,__Vj` K |7TDGUQ.N ̓!iT{P5H`L>ռxOj6(6Usijߝ@\I;FP"~QvaP: 2nH"2B A]y|fd܅2~enY'{Ϯ7gLšxOjZ$b!f%ƷƝYނb`˫yOc#[rVc 5wsc؋n9lR =.E~Y'幒̉$ϚCϼlV|s\S˸wTH3dy6iycuҌ)d(n#E)5Y[R_C,=tSN0,:MVI_)5֬&Eh--fx]ހF}c ' WSР87}W#Z74+^{h~ t) OӼ%tҬӔ(e.]MYRyC-Hhi/xfJJBCq t@N~υ*9iր܎d=^ݼȽmc[i܊d"8,6xZsfތk!aX ߧ`}$/G26hoڥ\ ]3)QY.Eo> 'fyBw Yx"pא2J#4Nԥyq٢o*",*4Ν?XILHB ["]f+t1dvUYzFwJ:v?5/QZNk+]OpE M ۀQ͓N OKK?YFmPxR{2sRkJNtx]}뾪4Gpv^0ήqsUb},P? ~h"Օ-$(vsՌn?E|:.R'8e|{M,PMvS ~t+=gsnc&6C=V7(7fW0[4E3]yIM6+A6g>eAJ\Cz%#$-$ Tz:TX7 Wh6N؅i17t45~~Du7x5[I@΄w78.*G{!+v1KG2"O&+7>ۡ%eK1z$Q-BmNQٰ'Navzwmzz$cHV4PbƲ7@h#] g"^Y, C0˧VjqxgA'Ce95 ] +2n0fxH³-W]I*}]f&Y1)A=/@Fj fM6+P<ɑ-JrkE&NZˑ#c9E ,S+p {_$%H KyOkn7+yƭqܲKp<1sfc0s)bSS,ir_®f$PVs8?3b.^0\N1@J^S;|y89v]'98"ҝܲЊ X%r \1u!3:K*"Gl7HRG &1KعԕF%xޙYOR{^F?+"RKII]? 09/' c,@~Ƴ}$Zn_놰 ?T"Lj=TŁ7H >g   HwE@Аf#ֲ]FU3B*,CćZ OBDž\R_ Qv|0-zw  ϣ'q_i~٫A3K*~d"!ւW:?أ2>^?9/KZ`OGb.ӕqZ ،g=ڼ'{Yq B=۠ O:t.İ"O.Ǜ UYܨ鬐iV%\ $R|2M!3٢d="ɐy0t0>O s@P6 *v7 ~c` Dti޶zn|t|l\ȱeDt6#*1lX].U`#l ?4hv t`"\4{FrkU&&θK3&n!.1`ɐ7PN25yMnJxr҇|C6h-P'iA&Mmz YUWO:f,]q,XZDp$T^m&Sm^cm!|Y# #X)+LV&< lr dTK4{O^ܻEho7mmt &5VXӆ^0|l/}t(zJj=VMO!4;$Skί*v0jdwO]&/II8}hh2 nFXQV5& .|LROuHw-Ge#?S ƤϓD| $:pQ֩og9N]c~$ur(cݽP3)e.b $nY3p)}#emy17sfj?ίL:@'hv4t^JT {]>++L@ese]$8CCGdvMe)'y>N y _ 1k +s͆;ݑPuLȷ`yLIK.(1耕;U _R&fR[1jFZ?X@ @ƀ)=>l98>"jV} 7pZR.2YuzNPe+٦al1KMLa}2<5"IY ʅ?ue -*r^Գ _+;4x+dlKm2pM`t2kD/T A.W+BtOH-zJv=$oA yV7'=ts SuCZ'F3,Yj[l؛!Ya֑~S8!gdo-Lue1PuHJk/8__'-g@]7I=Zq/]Qa^Xa~oɹ'R,qU3|Cg D[˨g?lyV+FA Nm`M!>gI[!ɋuZL[iCV#J53#ಃlpعb4x3ldzg΁:Y#-뚘vV0#˼@wȝd~;NX92[Sx7;fFo.Jkhϱ^Q|T2 }rY Hl=*8'z~)ǁŇu%nr]1l:_{r>Čٌ5.=3^LOR*a ,HХс M9%,]όThY G$0 uYOъؠ(]DO Ѣ h32R>,C1!E.6k~PoiL\`r P5W|߂tM7'K*\df{Th7y^vEv]3fTc!SB39*OA>:kwF8" J_L3zg`B*x'h-|߼m q0cE]DnGʛ@)q,a(ٍ[n 6 R YY@-|8!.pz#S5ۭm$#}ס[6Ț4.I$>.C҅!X8$!T09FҴFI,I!AD~y9F 6?}GzOiڰ=Yz1|\ygy71/EA{9eFl5aZI%}5@ 2?{!ٺ\Ec#+s$oljmKה0R+! n;xw.rS;ĞȢ-ɻx; B:5Ul+UKkNrxŗ *ʼz'}: m{GZQK vm'0MKx[kp͑EΛY'E)mXTWK*v>j'-z J+fv"zGL6H$"yv_oQ4pQtjy րcf( a^(>)Tg}M${R̀uN{qhIV47Ǝٸy.[vg0δ1(cx<;6 ECtr%>|ISd.W1W !x} AqfH I-EճfY."Qpx:U+N{/(`,KвQ~ei/>j9H7:d *+Waĕg+LWe bK:=b\)&DGo9 ϣ%[Ѕ wԅXpԫ"&wmǕJ7;핽-=ă3,:c$4/%,zz5}r?'B g&uaI\MKȟc JOA{2]p@ΥoGO7bg[6C לy7̃m6vzRNiREܟklH^x=>;?^qC-!( =58i*J1r)4 t2f+@ 8 ?y!Bļ PSؚwJpͻl~ٖ6cdaCkN@=Ÿ '8qڏ-?fSݸ4 wwh/o{Q|X!<8iMk멢RpnP8dz z4/c8Ԕ@Q+*0K?aܔ!AGq[%ZgKI=Ȝ/˫ Lw̄L\$XO4ijo J`SF#i]tSvRc*$4)[ CQudP l OC:r7U?:x2rs,*CBc/bEIߎ^8롋~;\c) baa~>ANau3|+,5l'7ܫ qBk>f g{R,^nmɗ E} qz,iʸ_WRq*alpyOA zuG1L~Sv0uu,s]rYӄ(CɋFtj_F&4wmA|Zĭ@M Rqah}{p[7KtUp yIJ{@>q.g+e|卪I)L\OL˹C INю5 fRzq} !mQ<)MIecln+0Q*_oWD71IkrĠm{SF7pAL&kc9P؍X=Hb yԸsF 6KoQ:^m6L1(JAB~boa?kAwZkYhΘ"}z6/k"(`h}ya~jA-XBpVSxI]qRW\#<f ,g53"I%L@ t 8%h-RYOj^ʁ~@ [Top ?KH'mc- N4j2|C`+ >6ZZp6)\1 MDkuT+NG[ߒ.1|(o@ߊ$õK}Nwm:,6Q^:Q~=LTP"Eon.0*j!aޱ2z/ﶆ v w;m F0oۚuyW#㚣hӛaF6o9IIC#If]g]euR{}skE;9(n t>ۏD;.ӱk6=-)cK.<r˚50Um|}zh}sP˒)hb.rVB C8uh(ZQM`մ,P=[ʣ8\18MknEJLYTx3q$y|k`$FO)Cx)̓ e.f`B5V+@š(hfi5z֖rv:>ob*89U\dh >I'ۼolKLfT?tr3XA36B@%[WW8vPP\u A- wePE0iRr>nHh7;A^sst̐6*W(t\}FJ7y;x2)&73*ܜGce#~)-0őLmC pzzL-}}< Y>5+y̜Ȣ<=L+ 0M}x̓=-Q@WL R%g#Qcns'T#>CңsgԂ.ѰW֠=t>~9z4GH &[GX;V,yɖxҝjEi-ܮF_; {{_I⿲@ENu=+tuH! LށX7MfMؽ [OLS&Di}|i5úd4}< :Uw ~6HN[*n2RFkf\ƈmTo"xhƂsw78_2d.)I>?Q1!ʑ-F4Xt88}qyoL(OPjD[L j< B)H zBUS(a-*"68NdLl*&=oU,u4`v;?,#6z?*^ x*MFb<}uEp%E6%$E 'QAW`Ќ#ƾ2~=Tc`"{E$6tRDI7rܮUߙ@K~O*U[ S@t1pfǚxi'`a(5 Ԏ"1EXIȩ t)@jLA3b\*;%Of1- e4ΜOQza+&zKъiP'lq p*eȫʄ/sB_>7p,?gn!XVZ D= L@H*/Saˁ\O&̚T--EI>1SYbXX$uiA@ƒQ":-;yP0R0] &fq #RN /Ku/oGm;?/UbUL2>7GW22+>F~焢2: Z/m/BFǚhM{F*دRԅeStRo- Wb;x2B W"fEOG64~3A՛Ǣ m[]6Bcwxx w ˴P^>+vG5enZfDSa}_aVQX  2Uᑊ_=h:)aQGn&.wƨ>$/v[ӴQ}Vx8pe4@uϪY3ݐ`_fBm$|c,aGX6ib;LƏwƥla;9S[|zr.孲3Y|$U#$ˎID-1U~lUcc$g)BmoEȸrz/G[s?tĝIp*Z)d+I @Oi]NF`@\cQ5̥n[8"̦+3V\ &J W`>țW1s4tm>!"ʙNzKm_7xKDɰC%tɑelP(v EPo%9ܲ4?@{8I!jLÃ_41*nn;ƚ~6|H>3"(mH_9BjNq4=%^xHoл`o'G)Ү\Iu(7Nb[)jߤ z1u!kj{[YG | `gC!j:YFK8mN02_uˑ(-‘Jj,UӇShUY/fcGӊ}/>w#wV=@4jYX~Yy<~{=[La Zp; łvLv7(d;vnӼ'iB B(m޵eY!N|a1#bF)Y̑l('6-_\m~_ԏOl*ÉݤJ+Nއ< Ii8 {Q2zTGK ח7aÎbc$ҫ^m]Jlbڕ|cą}pWA4G ![ZƼ|OKǨ;8{رT0v*uQ]j#Yb p!!Fw uЪ xX֚)5k{u#RBˈOכjꪙ_u6 OlĤ7o[Uafcʽk&/uY(gx]DONѕ}!,c ,ۄ:LlM-xKjcGye!k@UL/ENVe5@nɤuGZeU׋z9B_ه5f "0k ԬT[rߜTJVïp$Vcl x+` g]!=xˣxA KB êċo8ۑ{iq=bF_"7^DB3w\-߆`G<|ɠ)0% gk? QNZ ;OWP.';e2!6UӺ֭1`Jœ M= Y2:a v S=p(642yȍA~#*6YEa=&2z?Kz (Zz>*m QzSq Ja**W?Ndxp1#Z~;v R%s׎£Gs^Qޓ0%]-[M_5~*} -gޅOזQ֏~Ŗ79;[|S=k,&%p&f~auR.8bV;hH3mH-xI7'W~uZn\`,.+&'WuRH[RޒDww\2?H<|b^M6Htt:Wܲރܼ4W`dF~0xMGj}WDH_Hq>hQҗk1ށx4=f|ٍo>J'vF^^IPM3w%]ץ#髲 <Σ #q7ljlVaf3̊$DRL-e6V >bQ1)P;pRwd_7Vވ)qyvb,c@ jƏ̯R ܘx7{)y7 [Nvz+ cؚĤiD𸊿okMt9 I-bGK/ w޻v0=jH{O &_3_b?]k\w ^}0E~R^wd7t|\m | 1ɵiFz"SptȮE?KfWVΔz'3MhB"R]oQ#tAGtSUA+AX5%/eVX]3G):(K?0>,suƣ%7n,D$VzSƏ d8x Pop;`M/䐰vȉtv|EW4/49dj~x>DŽG#K"Ѷd- wM7d!/RO{ca8d\Yh!`f\?!o޵ 9i >´IBr" 'uW2U{bC|{8.>>$-? N0 CӳD.H)@/ {,g^Jt$mc~+ε>BSeMLP׈ FCX5;$-:I\x)}iiifwRݴ!( fu6験vgN1},Fk~TxF<ѐPy'o>l^SlD.2([HG=Ax CEKQA9MS -5`)vtfP99$q5ԏ nW$Re~5$Ykb py71h,}4:d^jjB3\%ec =b^;qgw̗yk)m[*d*q ܘ ԾPQQeU5ZW9I4\sTJD&Ht)|d}Li%nc W?JlB ١ [r'TAdn4H?I~=7X5a=s_%;ˀ6;:ʎ1P!k>y=W:Gqps5 j֎a-ܐ.G`g@AK=V{M< G)Gnq_qF Poxl[7FXx[YEʨ/\xUVe Xhmrˁ+bXfo uj@ۯܦKXlɮۗ݃6k=}R*H{@͏q(.AӧAR5w]:יũ lx M|K mku*!.GO5 QI62Lc oU(C(BĽ/1@ mR1CGO&l+꧉|oS`F*dZy'H1 p%LkRrq6RW*k[ 9mֳDGdz0TKTKt݆ db;Wq)k3y\o4s~i qYGMˈk#pF E-W p7n3ҩ6ݸ* R qJc=z=|DbΏc'y8){Y*CN}McV0e|RuJjJ$5m⬲ɱXݏ[F^ GrS7N$gKqRfIvow m08µC z=4%0V\PJQN!6wBvxi\ڛqUL:, (gvC:Uii.ɭzL4#1dc TH]Bp KXzf]L^tM׬MjVHwܯIZY. b3@K:SyI;R`r)$L҆DZJ lcyh+qB~'yBrybE! Zxg/~nL]Mkk2C 4*O}LVlrjUi=-},8n>,SHHZyQ\8Op%HK%R68]=͎&bTG#+֊N#",n߭IJYζpy}ASwF2, !R&Tu4Qsa&c/f+C}ƘeXڷ$kVJh%C,a>e wlkb>%M"( Eh&E/Xι96Ȉ+Eu4uod]|Krj1 $N#Zo[*rGCjs+Q9"Urޚl) :lY0kpbJ\N?PEI@c9`^) G0iAʒltrs_'vR^ De^K\z[ [aհKf$%(_Is8Z낔~$XxX5 2y'\]uƾIQNw䎵j㐕'toٯ@yrI\2&仦g$CݠɜOd @-P~VC{MTI?whr |y"P#,(s4SrQz8R ^K{l4p7Ui+x}xV3H܈͒H@1&Q\*NIᕆ"m*W >JH&} ΋8OٸKxA.S2:ދpW +抁',gCPE$0%[IڶȻ.um9E!^s`2d4S,AnxoZ_cU8AkQuiJD;3@L $`*ƨ5l1*o^aeJBEf2><^!'nxLm楦,lVAyYagg.MR5#׊<)3Gnx;S 70ݚ`"[BΛ-t)0GIa3"amX<6}9#'_-Ldݧl#\;鍌.\rD+n2gsq0.3&<m.K9yGg)6*ovN8%1%'3vG̕:hj(UQ{7*qu)Yvbw+S WG- ts%=T0Y*|J TemIӌ`t6Ecܽb%jx-)5k0?,Ќ˒7}/59s抃O9K$u;׈-FoB@o w >^ P7B Q1WɼCjQn]+r Kz̀ PW9,%4–݇+? Not`؇o񙾲W[A#l }YvU$L@&δ gK  oQ@!0wFi$X% }\RO3FUi7 k{j©V`oSANdXH:QO~`EsfڌcS۲RP;y}pFǺ瓐b߻J`;@AFR9'~AQ Cb_ׯ"TԆQb/m̘ګ`_o^ƓX{\VwV @S )_1FdePcfUl}K$"50yP5% ~fA[CBBt,G&"Da4&[$Ğ9j{Um%9Ȫ۟[Cζxì4TQ94y50kC Ǿ4lU@d%:~|zc UU@Y j> nq!NQ]{,n+Kx_jFDr,}MXҨ`v4"L=ɕVpPbOӧjzdѿW *<5b:4K_2@HOm='1>psf,;)6Lak |5=a[( ~hdrFۋ\V*l!+Ntk>P?֦yQLf-8Hcp78!As0 2<+DB%>e{ =BSaBBF}X*-/Sp; nZ[s*_6i]* id1 ͍{:w97m(tp70st4!!Ò4ϔo0ܸߋY1:@1x(N\ӜV1`]idXm04]6Xi?"8 =CYq?Fu='ޚ!)h&9^u?d:!H|`y/)X q,9ėjk燣T䭥ȁo"ݶN"@mG$ȑ.X(8Էff{U>XLvx>wu0b"2azoB+5W?9!^OKI ɋ49UxׅZӞp`Zem^ӐWЭ H-=˔\ nOy |ݵ/Wa/t*#M cR'2(TOO) Euw[6^6iC1,l*F:q{-1ͅnKUӦ|o0A\| :hNX3{oUqw#=u\q!SG.14F^bm7FKw%Enu^&,%@)Pc<CRggvX`ϮB}(<=VXBjAk@!%xhV 9/oȣ= <*8L2C+*OuX0 ~΃ "yiS`ޱYX>/FTOWHZt&,M r9qΊ늚z|% {f'+ ZW7o!#WU35 c=Q8ѥߙ]_Ζ~'F+Fza}ݍA8ja4Pl]Οlϭ)WnvrsWo R(ɘceRodpU\_N0d6&hkbzg߄S}E;ϯhў+ͩ:|gCs#.odF]c Oۣaa9=ğ ПEKZ0%{!>-=:)Ƞ v&U<IȂԓ$%udHU&D37烀lug,|"J6ܖ:R$x;C*a= rDjTyi 3b4Ý^GKzoMR,dna;ŀ^]q0g1líEE[R(; EJB;U>lXGTloT@U2s(86b&tP$J[.`}^4-QT,SICZB“rY$Ż +m0E< -!0vjHp{%%Q޶#}KخQOThoiI%]ŒhD$9ʷD7ǒ~\(pޭYicJyTKz*n34a}pʍ1SZ^#$dNFћź?.QSw/]N(5qX7PA2 Ѫ~)}qĐ -2%"vtRj{KD>`a SNҡ=]G[qrfowМՆuCO?@./ospk!/ܺ /A WjZ8(QNB~hރ@ui(6>>QF8=E>z|Ef*)|tCOգ`:;H"-!@QrD S/dcWV4{)ywIҾ۪@ 7CXD^/k4B '%q9( V-cX~rVط;WARqVxŸQɐjM|l5|1cS|S umO^Ftm3ffqcGo f׃?7r+b@BȚ]R+nG$ Wܦ?oYQ?Zw'|׺t*Œ,Z0QTg?#,~&ݺ~.J/! $G-ec m mUl{ e|y8HVR"Ibl13]44VoOQs\92/O4=0%ЎEP|ӗj32#E,0]s9eTk,x@V%:t.ޫl3>μMxyTR]3eTt!r+gu)-Eq:[wO4ϒ{kfݛhh0R.[N ʜX65(3uӕʚLZG>E kr:Ao-L<픽!]Pc(`81}k  b'tQGu]krxr8Z}*NA+ń0Ba7k"c f"hLE7D9Pʵ˵m t͏DxSy`w-8vRf)VUiek]B$X93 {@.:Jq_dGk)9ê>]e>atmKsLmi:X*a1mwRT[pn^,m|@\z'tw[0㧫0Uáu@o/vd]%NVL9tWVSkFV!+bl .gnRŜ?hq8^T9ѶENUOk A*`2 Kb97:S17)_r>φc,.9rS*J5F5 '´UCq&euރ-bJO8m^ Σk \ >rn 1ylvS*MX`2 /f=FwUJQ/}cum'x禈I7] 'BRRX[z#I,3I4ɳ\c[;6Z!^zMwf7r)%+~H}V\c_` y|a~U7a&6Q)!:+\sJP* z:?5BsHEbV2~ qCE$xM,z%X"PkZ2Aޮ2{3?lTCJ.qdndPzC~,\.C%E,/Oa@i(‹dC/|sF@j{1 ;3_#]FnGݻ;ܗOd_#-c4q| N*ϵ2ӘM&i"V;d?FLn(o Em# -:HjEFƔDūW.'PH'brEEJv6zEzQH‡0zCtNoN iy_᪯Sy(z-hk%HV 7ŔS9l-^ܤU}APyzU!aJ|\ZUsKYY+,s`a IIL"SgpL-F7>x22D:e0Y2,j6YyK'%3L>tV% =[M}s <(KBq?- 9iu|0H'tڞ%Į9fή$#zK)c?28C1QïL^ܽ¨dK E899@wN~2j݃RTӃJNNWVp4W>mU:t_U%dzX.1r},9M,쓯bf-\fL@{b0p!VNZ֣xEQ^$G$ʖ Y;rm6c? #`џN5 EQ<~̲r:.APٿ66]ֱٟļRwAO<|?UO>R^7$/~E;J(ſ}+>?&Dg$}Qf6 bJ$~-iػaɕaڃiQ\dauS GyZi۝Ot!9y +qLjJz2SG.m_ }RZ&j-Yr[Dԥn@ ͏OV&-Acj`eJ#F^[oM  9z$%_Q5Z7yv}(hU8Hra|,p;`p)"PZUNq׫´%KV{Tdu ꊮz>E神0jS.۝;F;7I!ͬϙ/fE} ?xZ`;yjL8ft?pq+ 5f,^X^w_,O2ɌO-WʙKCC2#Ez 6EYyLCE(PZץ,0@Y M-畛'B bbRa-!C{ooFF}DZ@!)ټ@a"8 A`LWgY׺%SOQ8 ;%}g:ܰT *lB>tRv.(ׄ N{gĮFaIJ Ogr,g*BáCtI_r1F9} ޫ؀lIVu}\'-آu\_Ԣ֙a X YJ):o:Pi`x ҫ qun\w-?4x7v pl[YmK Ex:oMP}{jX(jF>gxUpp7@50Ge%""&*N`ӌclNZm,qV?z }TZp|f q3`C᳽8?Bay>i{i*T.w&QlMMcg8p wt‰';у:kKs4֕刁{`v#0 Պ6b7Q6fPt#ICll1GBkM$ 0 (eAgnBٔ09^)SLЉWAReF&EJ sjJTNa+zbPm&8LD SaPf.0RCq];W+)5T ]̬:Y d~cٵ6^FPY>KP)$ Hy6.5J[ %'+AfSՏWKOTC͔O/xҵ!o=jπF -k܀ji>PS?z4 ),gMCo2,fpψIN4e`_UڵyE)58(G(` ZrQ;.@z 73(]3. V*&TA~4a :; 7Q/#@hop[WԬ|oUIp1Q߭gF noGSɣzʲZ)Ok{+>‡Х(a2ș0I,AB|XJS/,K: lqkje^}[RT6?Ss߻7<9њRpJeæUO)VP-z: ~*iߓ4PF> dbTV9g\OgU87<)-,)32_\xDQ:I+ݏ( DjԑXNj[;$JTW̍ITn4NT"e&)!.x-ᬤym_Yء &q]󴗕<֛(o; {K2+.'=e%]5toY$1|h&~PtJ+ Q;0o7{Y;qb}-mbQ)bX i*jL_%Wدx{Uu̷K C`.r+TAO[(X=ܐ L[Q2?gF@'8g{%IxO RV{UZiz6#n_'kӑWaPjWnCLd&XX{If):@jMvI!oYRH$!uigK\sÏ]b2B,X~AY@N˱-xڲM0FUGl'%;~Pm5-ϰ3''^Wn(0=ad?DhЫ$(+D:kob|KZ]mWρ[,_,w\[FEvGmTef?jGg-4&9+BBY{n]F#jdޕōkamڎ/sFD8t#C4o k6a@ Wo\u܂Ǎ h܇d)SSݿt1wꚴi1 p[yypdHe nMTsv팾CQIԱ0|%>0̱!'H(jn(\Sodw+R ºRhz޷DyΐꁅɾY"V¹Fb؁ a-G1֙j?,B)e{FzN .AT*r%Z_)ı3үK,f H,J:7 kXQ&s8tTC+'̉ލZ *C?R uVoco?gl~*z(w]+CBe̙?ViemU@c0kh!SFEY J,} 0Pt̻mJ+*ލEx3h'i"j'N7␮Qe3FY')TFY ;'L3W}v mr*+ʠ}=uHON1po [el'N4e[AG46@!:4:Dux!@SΦ]갂(yhC^h2\v6pЌ<\{U=mpI2M;M2^𱸇Z IT4עےш_JEA8mlbN\ XP=lf}M?4cbpֳ_vvi\u2jI-Lq |xtӂjӪs\q32 us{#z}pRp@7ce3i(^Fo"57Dߕ'j,=PW5Rt"Ovsx BH ٽ k`%v - eYL;jeDWWX)tMóJ"\QUOqճp_ fTXPj`(mHs k]٫ut=&sV@~{oL,Vgñ)b8!4~#@fe1lX~eevQfI}e4e_H d) q>D'$'T|YWx8(2Qdx.+MGY1Sy$R <4R)H P9`p qR#(.jSeڗ){SߔPb]1l U7uO(#Lp-~Aw-JlD{Wvv\ $-X` iqNQj]WCëzXaOPl4|@q~ e"1S x?4I@J(}x"o軍䈆G=uCh*A'65E$LY\gdO1Ky|-b"}n$5E}2̓$VdtoxM@7F+5^~"Uwc쇘.8S!YZp8*7J> 8f$[32.k~mi{e |s>A *=rn0*ыDz]* nCR-DkF|6] zY%q)mO#j7~KC7:ZեU6Ѓ8u_26((.Ffz}.u=6o :Yiy{q Ekmg'X,! (z $rrOw(=k׭'Hv [є)#q(ǝgPj`F_P}#^,H΂` Fd17VRⱫY\L@]\ 5K1 ge,Ȓn૕0ΐ٪2~5Ѫᙦh3ԦIv, M7m>r:X#%!k%>&a$dR Nd:dP*QP^8*t3~(7@ ݕr*?7QWQDG S~x Mt}kZD pM\pymb?w]"dQOt ⦹ ku4Tcuݖ.ް+e8n]Mzkn/))]јV{O\{2$$q)@qs"ǸC"m=+@=>|-CZ[&;"UFy!Ů(NW5ly1ґ[IQC7WVs$feb)++WlM0"FzRƔmI3 3xEhCC1lzWeȪ8@O8[V )nY;C/f]gujU{&Xf`QIU'pIV}=W"bOǶu#p֛R2pTy3ͽ垤I[3NJId&Ǻu4|CL31g!UBv׏3 _"W!^188a34i%_oL"ShCn}~~惙Zp?hQS3k^Ϧ/Cv|<ϐғ/hqaA?jig* 񲆼2 vG` ,;VX1}c# @:C־s.¤ťןx𫔡91@dVWa*u9!eM Ӣ>_8110P?{w* ; /F1@TC=D!VT&crHxOJ'D@ U []~ZGT͖&{O%* qQ@_]lX?GNj raeJoKB/T: tEK]:T*t/c( ]i>NIpC@E3s^aBɺ3#_[&䬌kL[qBm}"T*bZ W}c~(= E+!6&_r͐wShҢ+5pz|>\VpPsuV۔->H'\YXD㟾(Und)s+F9Ok}H/>IG'u-7jp7n>ow OtTiLv]D}Q6ڬsQS:zgJD_1J2n2c(*sRBSRPr-r"1l:H, tJ;H*k4LSA9UђaǫAqQxmjcV}BS75[;J?3 ' @ojM75s#269r>4j3}Bր WpM㦀P^N+T&`|v[uhtW5^>aCN{~GDs3ܠi֛Z%6osE)Hgm9 KH/Y4_cT7k3^ϮHe>"i }?hSXK GlH@x v Z"I7qP ,ZkNuۤl@nl3"mZp*Íڱ 1\ 8LO`4202$ެpz[B<IG <@430!B`ˮpC{F!\y+m=85یbhYۑx6{3}"uJ O\5iϟ< ߯ΞZ$AF==q <:}9^ Tѹf_/@SW06\;^}-0cG:Rx<N`c_/"і2ʜP#Sål泍7t@IwIi%R@bFFq7D߀JzÉ?ʪE#Th>gI`ky~0sC gLԑg"2V¸ɋ ]ebb܌ T xQU"rk7?R(N8NS+A僺 VwC:)cLM 4ۮ^1ٰMbC r kq1u:N_gq|NcSrg ~"ifω^xoG)T1*]\scO?mvp %-KuH UìM5?lVܕ' 2 TbG;a4?,8Iv%SI+n5р澙!?Zӝ*|D3Jhm#wbZE# _rsy3 s1"<L ƀ2 Tz%yIK4,Qv#Tߑgmu-cYb%Q.Z"G1:LgFʟ^N|?g^查W6MBd~HgȜ5,4pb"%7m*s #5emk{p L ӆ?9L3FZm(̲BNvx"czD~R"J̪K0iR\.eΪxt`"e1O jX%+ 2y,/5i򥌲H05$HzA^/8z x=NBdT]@ d|T iЕ  [r(˯'.w;o\e'K3c[4r74~`SS w춲_/:&Z>PH^ET :qF4@ݯ^z"yfi$ `@(jͩh.$)Ic(7[}cӜ̄ W唭5W8ķ8#VȺ=^LJ؅YX'|C}yPm_NV)EVėO} V5jV;wwlMyBZf 5 ADvj,JM}*08G >a"42"P:% FPaZ Z7S⸦=|tf_$ jYmϛؾpȋBzF:߁p`.vH?.+Ti֢w)%5`e79ɿegs"9T @} g@Gqxh[6h_QccnKݐV܆1OOBǝk`D&2smg#.e$-h9vLQ:si97rIDr>zh)-J%=>0 M*E9ILa!dH{w˾U@ͶHe|m9L) ?s2$Ncђݎ~#h194z :>$;pB"dTuSo{r|G!~uj_Lsoޭn|Ef's'HҘf]&H{)g8YΒϧ>FKtp'$85WƇ0yoؓ]u<pdpEⓍ@/=IRxhy=)nLdb}B!/9t|nอiIRCTML'|ٸo>B#;&+t [ғzkPeSY*8e7o{~wOO-R 8v3&,G5{t$Q6SwP +]IeC\5D)vm'U9D>W6_Zh{OWo1 Fp*F+^ZܢmsDMr|m7Oc iq?DsB8e)[^2825uV)yF~rI#B 7@$1'PqY5~\ZJhamXx`E~W~m [,c&X ㎿pꙋW|ط͠κ{[QtUΏX K{ü2Aa tIO"{(ƪ=7(" cc"j7(^zvwEuʑ \rt2AJ#Ɯ`&dQ3 A΋ QYly"{}]~js%^a5LY.݋";$9DQS8k{jI_' `.')1! g+."xA{w"F7sWE'ɥ%vaQ1+򂪈n,P*|W籰()NF+b\6<%$S': w9e Y#f#j}kW@u*dpsO݆6 mJ*\<6_2 xs}Tco}h$7cW?(f=ɣ{[CNTJw9Q^@Q/ zD!YpQ@^EQkve$aj@\#xSϖ(E8u^'-7Kaf˅1VF:p+jut ST'A/7ad4K 7FṨ5bé9!dBɾٻ5 ۤ }Lnc/qX<T/ Pl) X9)o텎Eu $E5wqcM(rEB.)Aq1 D#;r&# Y] ϶!\|A,#:nŖ)uѩ ŋp:/s[ت&ыl0aǁBdsR^ JuXHf;)nva1Y>vn9:}.7MJ\ss 1P@Y 3;UCg4[ zt\.y , WY |*tWZYSuH3 1OlֶŧwObh<-m1 lφI\^95M`XK;WK T@J^|Q&XEd"S>R6ܐ;anZlTlj%'?C  @v;D!lm+^k 7]2zkDynԑJlLЭ)*9C5*o6`1rO5eZ2 /BCjh▷uLy{SqCFerZ){z+ZiHO)W-\/ LJ _(F" 6{lԤG 1uul ;,ANb0aS°%6Fm<&OlMϝXW.Omd"E]'l!˺{ZH7j>Fk5Fab5/i WZDŽ_vsۄiFo u'Ci vݿmIΩ#]Zq|W6}"͸Q>$ൣ%D)RT# wzτ j&ՅŰnD-_]Y=tE1.7Bnз5Ѹ.qG3 ĀkYqaҝ~U-`?\[C.KNV ~-vECh3aPkh(#Y?Q(Rn}I\qb7rrfR1Zuve{'TVZN߆P?!3 X@=[sq~.m/ÁN71u E{^ sGꖉJzxmNǕp2lpuhG džUU@|}*0媍9X˕(`~qo6u?}m _I6۲By(gsB]k|d!gW(/@>(-5~M]hM"5_GSg,) ?T9Sc,|eNFDgЅH$yl4pl)X.?WG1 "KPO>mp ®^}Xa`. z-)9o#)mi$<)nur6ǰjyN^ԩw}FowfE6fWu!nT>m=x8b(=8n_%; ret*q+7xlGh]~PQm''E`|iQej9!po" СTvPh:ɂzK;Y| "ԋ 0TÛX1qI;Bzij[J`{F{2.%5Ѐ^72hKwQ#F()|¢I_JH)FUueW60Cʫ&z4"c(~puC"bm<'9][tX]ÓCA%D==i@ . /E83@8MwUfd<Ď),"+լmICٺ´0 H.o)x#[vVn^4 orw4sH׻+j?h!)'p-zPZwV\QPj2Dž Trc$c͇Xxjv4vܦP(s%C'|㨿Ê* DBo@*̬5=S傯s̜S]桹w!72`Ȁg|^zrYL Sg"_ohAB/x @\]fVY \ĉٚqK.ݦ<*w[ Ƕ|;F5 e5Mņµ%f%_&5(Г,~Kՙ^DWb}IF_?.q^%$[HS 0Oߍ9,o%^+Jjo*̖ltQ.6" !ekW'^vu`EG˻v0ڠ|pffTzĠm#]Ip؆8x*|DDn+Gԩ:7&d+T)yҚq(PfFWbν*duwJ [ڡVrq}$|~ȠF~! x#4aFL#ΗY+CѴ~38=ũt KDL !]´pbɳԒgʯe;)ʲv?DqrW. h100.I޾͂ N`Og37dM4.E n5(p?FǺ֒}vq:^AEYUЪ,#9ړp MNRB~.H1d6ºE[%%_uԅ {bXv9$L֎4هvZ!нפjך;ykx:~q٭ zt|T41 㢧b^UerT )#!Q ޤ>Cۈh_s{Yx^:jsu?8D]Gi+ 7Ovƒ<7fMax哥9f4-NJ0B]GSϭkA3yy1Me?$Z}b%2qpWcFгOȕ.c, kSәH( ~L{3v@jZNtmI7^>r:xnXMH_AHƆ҉_ @a&JN1lDObewC`JūVDmq`;4HOR&ƙۂ F òJmf:,+ɸACXm*[\Hޛb%@!lIY@2c,(Vy03̘im'oJ:",,B"ML"\WAGH+4bȰ'ՏHgK{9DrM28Sh)WSX#9T,3̘^!{mz&@LX%Wȡ Q9#=B rA7'{w8i%jPh!8tIy|YDF?rd>v9@=4s̄@  RD6!i5ģ5^jwiWhs e^ <&$ޘ$}A/o2ڕ X$LsL=GdkXǫoH YɫE\=y ? x^7JpYC.%?c?$}:Q6nNjBuKx)VH{:}'ҝC:ns- e΂+'g z{08efZڼ'ُX?v<$%t Sy רl[ *SP"^dQbpBHS1geU?N&uҠP^|F"{kd[36\ 2ˌZk-igUcj&hV;fk)R/rD=%\|xU98194]UfD6M=fGlAEEASt 1ٷ]P₳0\Eo )7 \bԱx癩Xžr'4ɗ37|kZ"?3|%C}2:NmZ/ct˕gyU\u"PCAxH^"j.?cuv8>4d]P}{[|Y%Ac_`DRGK쐄yX.n\#7%ܧ̬}FHF\f ʴ¯Gm4Jp)y l3V|yMh|>޲LjGn۾$l9 .(䵇x.A`/ 3{0M8$~b513$ſwaN=*Za`-н>-I'Bo*Ȟ' o9 oq{OEs)[RAU!8r÷( Nys"2jx/cROa/kR>jϞΔqۥj˕B| ؔG=u1!<(Rg/O|[G\jEǍ9ug{/rtNe q\1|ʀuɫJ@"fĩ}ߞF[̦K^ZS9hb .x;Ej݉c)4+ٜ|ċQؒD"= 6`b"w̶4H-qdNht)tbӈA<1mgX'/~hUSC}r]BY?(qý%sf߯瑺ckHeǑmUytͽ2K ƨ`s b DDxx Jӈ9hW ^ GpRd)7zԕkڙ LN':o'ܼBŁ5ӄ~IV5zͳ 13"M{L{>VAf.lY5&::e8u5|g\v'Є. iS6s9 <]QZJ6ǠBs5޼]Ls+Ã?TQVV9l߂D%?(YKJЊ.Q=+䑊SX[Kү_ 4V_8OTN:fp!/c>Z@V\B'FZd9݇xA1ndLQ~vxRe=O3bMN9u$/R};#PvzucՊh!ji雪Rȝ;@ Z[yb һSZd`&!1oKWeo{<̣W@4GLc8CY]ZjD0,slp, D2178m/&!C,"&sL:l烕u WwI-|š#y`OK˲{[^w`#+ıC٥Q CfDPL;!凱27!#?o[ Ia4ko9c;LPV cd4tj'qX'nЌXӹ?{Y1 F\y0Yjո$|#volT~xހqlP#c$qJ#?KeƱ3E7\o IʊO碸-|RNb5˖&ލf牠[Gf|h;O/wiHK׼O>{Jʐ:5Pҡ.29Ɲ.R58k#ѵI~t.d[@ y(?ib7J`.M][gT3==L94by(LjZ5la֋&p ~WE.ANC|oiJ.K\44R[w פar c_8S*2pN݊g3Vz^zBWe=K3/ϝs$bv_*wHzfeJG["|܎469:!LIXQj> o ۈYHH_,k]:3}n;RC)QhY: hDpLV?sKW#GQQr^- Qx+(;IG&L !9Qei[Ք yMZLqñz>~]:AL"Gu&z,\rTz19:+* P9`fFȻO%Ie+x￑F݆&B**l]5;aN8j@=ڣq P=HM9 Q1"[eN..-!=+vU#q# gZ-y@[Y)A ?[GY:MS-(k\y8uǂ&BA؁q.LT]\dzxaM練AF7 i*Ge"p#u ն=X!.&Dj]Uq]7*: W}n/d4~xq5l D"<> s\̟'|vt]fs5O5cI#BIPIY#K{YpvmY?يSp#a=0!K+Jm9K&mDeW]Rd2 rmÆ澘dʹIH]x~4L92%5 #D?X"gϢ #M]OD$6ԹV*39I/5;?Opw]V|GxEkA&l6e{ȑe4\sZ$=#T k[d$]-[q)q-xQ_ޔd(+9[n(y8ze7 Or"zC$8m":WC5$2nqU C[xhn5 tm|:G$QH(zf$/9,*17r4:^.\t1{bwl+lq88ǘ!CC볒+lxRyBFtzu (؂09L{bܒ`$#  +QD֜j=mn$ۋHy6vijy2nR z`{ה(q/g֪`ϩ\MRBޙ5ZԹ΃LZJnR?='Y韡Εw\S?Z[ZLyǡju}ޥ>ѥ# [iD?N/iU+3Y O+R" U`_[,]\gv@y7[cӨ` w^xy4B|@܉%'N~ Zx_ߴLLX?Do^{W7\ȌfT`)/Ʃ*".SM ,"Xy̍p׭V3>D)0,Jכ=N$l3'0lx=j H?8flN$$Ъ3HCА~kX嘇=20D2oxXmJ&!l}q'N@G=;6C ,z4_îtF[s"U MjO9a-W,-;iI^ -r쐏EvBT>(> l{94؆^P%ε:1 biX5"~x8P'b|o}k,i#gv^cdoԓ߱,Ju,[dXj,㵛*,[E 3cSrOw'z,Q `$~b IZRRr=Bpo]#NGTa8Y89xY?Llxj9xs\&\=t:% +$v!$+̠tF,~)n*8ÉhѶG[E<$hk(\$ɽJP {?z0ta]=LRxvacdoi0o!{F81]sv:+)EG啉QI1l`?@3;'`m"`_Ctx[-Bd{9h>0' X_Rqi{j lJKU*FrĚ4uQ1C䃉kM||9a}dx{X?.V[؆QXleD/5N=7{mgK)K&H ozz=A5DSn#S?D3E$Me\rN24ks;: +<ͰypNhtZi,r֋Z:܆WS[Ψup`7w_c ^3sO㌳L H'ؠsߪ  I.oAD[m*c+qfʉh\lM\cPmߟdQeq 2wJq`]0ąLl;Sc# Tk=b&^s]ΖoCvPTm @wiq a{,jDD2}2ThaT`^Qa@EC9:RȆ?$x4BQ;W~Bq0} XwAA5%6zJs_cXH| @v )H4WGq$FI(z{2P ByzRԺ,dk@HEHY'R(ܩBvjoў& U[BhȆ>j QӔ숓҃[tifMbJX K-ZA]RpόMֺmx.ܩ}^ÈEI JW2ONN>=tU !o}T &g:HF Tlߖ)Zrcb\4tizXecOGL@mkZeMF+&CTJ&zڽ%lK%+-aTjΰ[&ngv̂Vgn\;fe)7g?媶ֹʏ,vQ" ma׆=Ӟ J[)tQ`(R]uaC]%=Jtio.фo3Bw. ds>+tz^d֌ӋKs~ķ*<y}rf*ӣlVEj-n@Gfe]V 4YR Vshu|u i$1׻gpGfMxf+G"v&H)cZd"+~;I.)F0'G |ؽ wԃ B[KBQDC?uzqQr4(c~Kbd јiaj(-3VΝ&}* I*H+%u-*l ܑ ꠙm_ M6Wӡ|tԺj=w[ACt*G> ~2uZԔ4ҤIAi:_{AUveOys1]VTHP7 O5zofլٙoyijTOi R%.wBpW;OFt VU^pv?0/gP3_f3DRA7~YI,QמV)}!in|yL#xIcRrVh?S[4bpr=Qa"ߙL |7yq;|W-}#]z.2ݡ2{j_MMlJCtVEhM)8"9LCӲ.%fH؜Q$ }ax2UErtYқf]uM3| u ( ?b,y89 LrB $xg^~ \ol֪]@a QzkehrjJ$K؍W7+QD~ Ѐ ,tPȿ<=#rGeKWL͋,q%aΒD>'wpxwrORHW\6A'Gd%Ke#gJw&g\aya @ yCGX 6(zY bAͩL͈-PI fԿ|K]%=в9!b~+>9Sx =V z6hOT C F.OD=h}tR7ıA# ,nגJb'C43^)f^47>fOVL6 }o&=SXwЭM~V?&PH]D3;)5 ~mYm{ߐ6Oa }NN d&4Z1{)*_jd82Zj.nZjژ)#罶^VTe iq Ӎ)ԯ+qZ/9ͣ6i7޼<({}Lbm'lW- m1| @S Oܘ$|}wIN +L&Ju!Zsn&C3YIB d1HybZ;]$x\- ;gE2'c_,mJEnK|iuZ3l\(߅._s¦ R?noV$)s >NQʸ-bίD7`k;s#VRFi6"ii2o|6r]E0 xF3SEPT7>9`ԷNHal\[5ޞ~L`A`Bװ^!-tqZ1W[vނ@ONYЄ_7$Qq<MgqLώ,QSjBgK$#Sر)$_,]̐󂺕b=)KKda%:ڍ.o{ִ3!o1T?(q_[țնfWf-ya0f|}ߥI4++Jү:E##ۀ3xJB{;şn7}KkCc`P5Q6s($ wE|*b_Jې?LQrX=dcKNe=-MYp OH32=)S%1)W`S&'o+j84ߐȣH /61 Vx: ԡbj.ꫛLģT9|Y0df[ydΠb?[aw@)Q D`?[] DV L N'[U G $J}d'!DtgytȪ,^g:4?gxcےEw#Ъϱu恿rn";6wkѹ?89]ՊPDij{Vɗ5ca(J9e3,cсP e* v_ɾLe7}]K _|pI^6="M*eOgZY/hwYKvk5nSRREhԱ]0O zPT)QO]j.YkGAG), =Tfj^#`/&͚TUJM&9\ q|{vG#>؊='WQՀ}OBHA3ɬ;NJPX;þ&gK+o[CSQ|&]IYϮ*cD2?sY*CӚ[wЄ&)Ce1/J8oңH/ئxן3El_T'.w\TO{la?=-jzn sQ*^{n2sMpF*ԆL/EaW˯H^ j*ǮgD$XX`׀xDΧ@}&/n ƭA;)tPQ?7٬IW FÿVX d|;h\a0kc*MM iΪ{^m_p!pIU0IՐ=c Z{Sq\חhG4_z ( 㻺U&o>qr6FLW T۱ }C$vG2XpO gM0s:֑CgbO€Ԫ+@~f+L <o78giy@Aul(=^r,eFr3>D.XA|,\y击n.dc0#ǣ>@;1(BaW&& ",׋nX:ut U輙\Y@m[,L?dϒHGMK5~4Uva3|G(uc[!s[n+ϗ 53ooS[p tư2r`oh/bxt+՘Ύ >R@pp G&'/kXzX)7ăm}Fw)htb*9-!viL<6kgB$Asٝ&nIu7ЫB{)sLЁt,=1aPwƽ.|ST'ۧ7چ4CtLTӼX2Fhf*:UGwT(Y㢧zyGO&e'8SlwgcQFh m/%6 B F?)JeP܀lF|!? u=c=0 @$43gi6A+`n@O.@ b%A 3}rY+bʱڿhos[Q{ć^Ӽ Y{MXjfϬ^]SEO)ktjhH{>uG 7(}s쩅o[/tٛAUou+H)v{/7a-=,4A0_FZ;)o3≊۶k!U(K ܎ ;y!,g1wҡQty=Nm2lIPY q*+縵9ܑTomHR Wػ[R6&ѡi1.L)w3es_V gmp՗@@װK-dmETlVJ@(N [@(CbEIξ>w"}`8*Ȍx80g1 \h>Յ00_lԌ Kta02lF鰐}pŖ5?i7Dw6s%_[J?}_bX Y#jK 1e][vvd"'Nmzmk;XcO-4.H98m wA5PHWBH=1(X#~mmˁ.ԸXMZ\GIi5zDNT4X i1. R wZq5Rߣ].tיo+ndiZ׷J vCܐ>vGP I _dJcI˝rh%^Ty-(5oEr(˲x 8Ρ2;i &rHP֕d;g\!{('w9SӤ#~hxe=E:o, C `I0 ) }Pb+.n\qV_ Nnxe8ǏƍrE~A\k eabsGD,~I+D n\sH>f^$bF,B'0$ԐPT%eɤD: e$EVA´cxd=ݟ139@uC2K ~]TB=mwΚnp>$1rcdR1=~t()][U=%8dS{`"5M IFnf'PN/e] ĝ'T  &Nz?P9`I do d:慢N|qm6W]}ɀx 5îeb'3qL6RIÀ'.՟hHBCN}l*[ӣ)^EZJC 1c@`N'Y;9V6O)3q 񞓙k8 6RBbh4NUL,&J#`Bkuj x>8n'Bt:zI|z}f 3jZcӠ@ ~#,!J[YQ瀧P=pg+8r45@hPw"O ySHg(#_sG/v(z6cRՄO]%rCiq Qσ&F\l (p1)'MQ).aOS9J5gPm,S=^x#//O"aE<^zalE3LW [CQء}5+ԡPpvtOiS A`؃dw|¤<wQg^K%jŹ,LKmYBj PLz2+$;n/#ih9E~ЫB{_1`0ȱ֡$kzPVĩp ]-B˜z32`Dc4a["57\ -P}`[<9 i , 4dDPa/\/d%ܝhCWxY7 ծ9۔;3Cr_IA~zi(R2GƒZ|$#Xfsnp }`,!%+e-߽B3je!9F` bɏSOB|^ԌA ai2͕(g]V5B=M}/IT+yRYW I 04nvt.F40'PrBs0I-|7^V.z[@ |BkA}')DLp̯ߖ~&͖Cvڜ8&ꨞ̲%4ZRP|3fENB8W=׻z#<:4x^Ho>C լԸ8ǣa6#D*fn5g Xfƴ.rlіCbfEgX|@ԸF%Q0m)0ے5⺃T!ZB >]$/1=Yam_H2 )7  =G鰄;f7kߑ 0VIJEHeQsֽ$ ]b $y (6#MviP;c5k:sٚ sВ3UV=/ `u6-+o/;VVL^澡h:_;*K-yG\AS<1 xoiC[8[=8Y.g&*طI?!X Um[ VNvlZeŶzOAܹM7ydld[Y~1_ \C6!u)l_GCo8+nzzmo'l3r:N;a&[`Ƭ 7y@2'.ǻؖ4l#Qe JD\`p՛RQ=+M kLN&U| p~`|j"Vk%"H2RJN Ri&Y=DRM]~ bt/8 x}N]сjvZ&䠃Ҏ3%A6pv P|MZ~swxܭ1sa8>gx4MJe=+we&^K&f*dj e6:<# ?*s&>ܣ8"t4 Gq17sՖE]%Sɲ44t6c]TА^Nd1#*xde[_,cK09[Q\uIk$AU Oz_넓< ,Cw)aЈ`JZ>Ȭc5'ZkIeb典|b SAͺ$p#-=ʝ 篥-ZVقA b(#!y 672zZy6̐aJ3٬A'ra]/hCtM经]tpyJ7^NzkcV/Bj>80ciJXfӵޥ80z&yƕfGA@w΃3C6. be)62;]RZh\%0d# f[t: oSXE*0HMk|L46>?0=3IGr@wI^Lvm2ʐU5>}K @K#Ŵ 0'<VD}fPj˱4)E o$<==Ydx)^W `+L08DNϕdk-dž!l/܋>BD"+2gMR&(+O"igL5t?^EBgjtZt$ Eqp@tiY"&hGIr:1k% %D&W8~:B`wK| If_CK'9pnocx0Ւp(k8ȣN9;AпM̹&EsvlNJ M tzO N"݃4gD3ZtOj$G\[=Ao2o|`2bS~mqNR6ŵOnɂq,j7T`ijF3C7f,/Z2*Pq0+J7h3R,-M3l"~eC+X;uQ9Eчnҡzmyȿ#C)>/dIkv,M@:iVh! Q8Gg>bɅt~an׫i}=``su:k0,9弇i|bHxXjjˊV 2w2)uƉ.}#X Y1l8].Zn >)=Ӽ|$Z(;0)4IEy6czl?`s%5S+]r̫Q绁?P2|S_!HBGߤϡT^Q0Wq: ML2~ZRœ}׬$0d>)QԊ\Rc+]nP&IhI2 G":Tf_&]"pýV |W}E:'sޑ G)2;*U^ݨ` HMGSbNɳ+2%GURb '$tYl]N쬘jhl5Tⴎ"xA0^F[Ш!`qZ&D/)([oS}f=uVǘLrcA% :f=('x3tckHk<B+ AdPx7.& Dl^εθ uJts5b줘*_|z^__RA'ġ0U8&a${уɟi^F%M̱B{h3[\do6(H8J; Z fK<*𯎳*Ɖ]3|ì8$+: a hwsOj f406*<|dj'0dX kBQ `JyL 7!Ȅ9cDvvBVB.*\Ւ^,Zz7> ,kxk[ =8D3HW 4@q?8=m5aKda%pq^ex}/krx-l%uIuA" -8 @NCQMi WoҸْK̈́u #*F{KNHU0 2mn"ItGhqlfijC+IMIYBi@#=S@fZ:EPtTdh>e;{޼蠛e JV2;., U.]21IUW}Gr(ofO7Ĉ>>[S9k$2Zg OS=) fRI!ņ1p9;48z/Z"|y;XuW-͐"P$}DZdX(yq,x!Z5\)o=H]šl9MW<=xnSq}[j>?bRV,jdBUPvy'Ǹ+>LAyy\Kᅕ,Z^F;>L|G/cǣHb)I5ޗtfE"p ش.k^P-!Wcs$$|^ zym`)1V[˘RfDJevUR)dEN:!+?W[+BVJ&@Hfrfٗmo]u{wHL6 ]@"!.5B:rR9zK#ql@<}5\T1MQz ` ]Ji%i&LCI}wxψ㭤PZ{lFB+)Iz8C'zhESJ^/ቮBp߃)WyE\X Y$Dkeò4sbHv QwVV2r`7n!GMA}I8V>DH̙IФ$4gSLUãM<6_rhwDw<̻/nuLD$vX|s􁳆*ugMw?T,-fiʓrGU.P8}٩4ю$H4eb pA XE|[ dW:B1 Te5 t [c Q>(0,=n_*p`<<9/QΣw@c c~˄cAwj1N}|I,Z'F=FcULj~2~UQOH_-+`eLJM?V7Ԧ堙 Ms1F@WSazO~Q  EE[dr6#\=[r`d.GX_7Uc 0,i_2nmUw7 B}V1vUK5BOhC5яvX/4ô4Bl6P;Ͻ/& 9D4%Js8YIGܝ{ow//UJۼlN00KyaQ,,{S:,vPhTSgJ9_K,o@wThi6Ay]`j'?&m#( jfvc -Jx2ĺY^ns{GIW;NF~)pJ% ITG`_[MS]2;2޽W,u]yv4ZJI%?2+- F s;$)tSrt |ss c'. ϳ"cGऊsjts@>{Ғi:"û!a `x 1zㄦ Q[Bl.C)NaVݪW#Ele~_wVE࠵I/lxO#Us:-@նw("JU".r\6XYՌ|>n/ˡ;mAd+,'T-i4,n(xeBdt/`V&R.Qr_D>!m0mWaXu@~0 \„Z5wѹR5ÎMIs|XzPl#ےGB LSMO_}䅘 H텠W)"0ihro6{+vW1эe~9A*Q ˦oQDw`h?0PQ/s-WY #ŀhD(,y"?9ӻ$@6+}TջAY65؅?x ^x4|f 8ҹt|ZQQϡ!S[wŐp +!B)?JB={lQyGܺt*3ỏ.)4Zqp\ݯ%/]%6@AMs9aw^)JM|LI'K `j(x`2yvu4PJ: Jm iÇjAdv<`,[)Kd"Yڃk|3J6&97C ]RHC_) GhXNؓT-sNQ1 rZߑćʞdT1Bǣs"5o]! vK 6 Z] qfR Rzspp&aA@F!79FލIJ, Fe?F$!nkx螯*Ք+ Q6F1ʜ%8]Jjfӓ˅m4s$!a}u:)X)lЊ@I9~*fbT-}Uu{ƔѫE}B04صJݿғûxqT nr5 -^6_>8ؓci}f9"ȹnlf8 JlEdlL5.YVƒ6s+r/[7ѣ8mg,rB#JBNʆPs}q~'⦽BI~%0 rCa l0c-.12ug=-P=BMqҰ/DB6P( _dk\4q8R*d\DCե[[ϚǒsQKO\x'bQ0*<4hj@%)f ύont𠼐1hÚCJ-3d Io0P>,'WQP]u™C@E(Z;6B*城) $Uig YaSkHUk uS,A8bw? VЕӤqdïQ7wsڌOD *z/8 NU>qqRL.2吝Ϫ?$Cj6w汷5Wϕ<7SZpl;Mq(ʷʙ۫+I-kRHklVʵca/\Hk{`޹g`w,c~G Q I1uD,#ۛ*vez/E(Z4KD⚂&&6J%8"lpBQZ"APӈ kE xWw0c]B%E><6nK:&f"j S-ڃ ^&YR9c|VѼA:d0:`*YRz?r]'J p!c7X_eב0hָ˹$!8Ҩ&&f㥂%HmayhK upwTCCHFS4<l:cwDgh4V ~lA AGW53;'3z+vńoO)(\ba~Es_T;7^BeHůAf Ob48BM(ICгG;'=| `KiIםb9%Ā&rM2e1#݊c:fqULϨ7kݭ@-B3Ęl<:i]4txt9V)\X$sK%/Orl;Lz&vwjisF_ٱ'oQ 쏶5y~WwFYmۺ0v=vz6.n<@ 2Po#pSfF j4nŞ:ǽ n/ë/alNoਛMN<0r֟#=0ZO\8Z;17s:}-,7tIx~W腁˿Ybj㼽$57g+D{ r;mnLY%sPtF^Ǖl6!Njz }[--s;Kg NuG"|ǜ )kNKiț!$p,j[FV}#'Z’Z-21 BMٶ:5Ѐ,6s* v}MY@τe(y@')2dE3sה9o CQ@p~!8R qwG,˜עBygr.MsP=Mھ%ZƨM*5Vzⱸ܊~\li*ȡU(UIzƴ>k9@>1C0>}Yl!*ĪʤwV^E(ڰ(;X ڳ;4,PӢdep\[A.V#hp*uG3i ]b!̹YN]?LMh5RAsPi^ވQc6 im/F@$ǼymnxCG-pph Lh~a ?LlTyuL1wڸ&;ŻqR%Jv;$%t`x PGǞN<{v/;oe4W VH,\*RO+N⁧N uf9xsP308̹}ɏ;̧T^F?7, ` -'22j"I Wۯ|Mǚjw8lrF/nAJ4C/~Șk9"#K)kc+󨯼0G፰'3_ޑfcY<{ۣ{fd g=W_5֒#%&e`̍ttPgiׇO}=16`qF A|ݕ^gN ひ6\ƿ@rLxN`aof)1OǷ9&KGv|d߾z5‰̓ y/lȋĪ0slxüpq &XyV zl`85+ַ97gŖy#GZ3jp8iuuh,ٲeTr Fk$]'<:$ƳyCgp٭e+_ xN9v#7@^}䰤F_!O_OrZ>S<2!ֳ S]Y*TN{CD6jg)gzCcz$o 3T*6T"#(؂BDiohӔ*ž#DN 'f- S@x\fCAKEY?|Tm"XC{PIIVl7OfvgYx'8<[rP&Ið1v-g7^H.PL\ g$[paH[9_0=EX˰0湐7P §ؖy/qGoʅ?a qr1V@5QPUFoAͨ}ɫXŶG-ڎc3t}! ЗE2<@2\Z}A0XOrnWˠ\ZZOOr5kJݓIS~@?/[IhL~yM{m_|YYtxM D|RuVCl=?HǫnSoQ~8@syJ Sp#r>7,͟BO{[iy\ˤL%Q]U9 - 4 I?b@¾̗7?8;tEVu%Lm5 G"*)8~>Y]Hx*9eZrܹ}n/9^pAA>B)6k`;7^I;MGFJ~b6/IxSHpW8'܎w[zDgŀ ۏ13:()F dMp9:W"n7UIдc /oWSNuk5Q4쑵4Vα,UAh$͹˺2)߈NǮ!kٰpg@n'?.6\B,::)m,97I.KcB()p=!,[>تg&:?iy}¨+/5<ȟ֚,|(=y^Bj'@F1n&OA?&g`Vr?!׍J~y5%.!ab(HPkt `'.YZQ~_;ХϛGқ U6$9֤a˒9L)9)iS}z2ޛ(v%!leHwq tY"5FM<-{1;f Ai: t{DZHfLpuʞ{rL$E~ܿ"7>441Ývֆje+H@Ű+V1ȟ=984#'eZ$.S2,JFV @Cm2.:pKY[*-Ab(?eJp+]>0L0(FЬRG뒂(GH/3wp]M1b~|F8g !j—;qz-e"̎tɶշ:tlʎ;$-,.A0qד}qxZaMtEڿn[~jEk@❌9'q2q.Su VL:x e? ɹr,EQ.5; 2:k2˥|<@Uc" '?qc\-3={)fH}%D(MAfٹ$&E4&!lkpB jԆtѾDٽcUKL &g. kx*lӵ#wpfK #G1Y ]DRKs|A{R~Tv/*ȱ:o NK-pvy_)v/{4#V{YXӚ8eCN"؜H UQtOG[i6'gFQxp4 z4z pL|@Dcܹr[-AXKucٗ_5V_R'%,-e[Q>呩$RQ< ӎyЊ\JgR;z*Fj\ug K 7U$mvu &E6 b*y]س vCO;'SʧEׁCL4,.ۙXH]D/Npnp,u37#v:2GL>0qˏR"Q`PBB[nYP؄gT#TvතD EE PFs kLK{/\[`2|bӔVc꺼8e+ջ ̙q. 8' w@.6 c<27Ӌp7( 둟Qֆjz;͑Pn+I? j-)U"G;C=L|?[[~ a+!E7sMPj98 \}iUt0X+/az}1N q;o^fM U|v{QEvoS.$Z,-k"-%ΛrmڠO!pЦ2H3_.Hþ؍(ʵYt]ei*tm{eq`>:y͡AaH3 ].xZ?AԞ#%H#sF+p9\cR` c:VMH͈ [41_$eD>6'1AkWWT}pY)IokA֔dyg͊kRi& jƆ-j;L>19"cLҸN|n} iN]NvI "ed`͢~Ⱥ F- iDMŤ/?GL_Vbk]h|ָ92wiH6Ef"M@1O" e`AAj7p%{\3>4A% L- [˒m%H!]q)/o ~^cZJ  ;S :ڿV&/^\^e˿SФVEf qEDc )Q'cm/`|/Y؟&%y?,PG~tpª^Xz\Sn K~ggqL念zYlJ34kJ)9cyc3feӇaT0 aBu*y?s*Ff(rDYи`E1 *7md7R7{TѽqiU3 Ȩpqvo(L4vګNLh ߖ?ؓGT˞L~-9eHEA#ȃkaк~fHC'T&<J~hlLWI >Lɔ@;ޜ+PkgDvm$cXMmyA/8,,CSpvhPVt:HhWXkQ{IAAFLB|9IFoM8G9AFsO5w>m=6Qov%-< I9 p@?qpB ]D( JyKsE%_!-HaOR'G)UKNSijg -? QoW.|i3Kr Er†]P;I;!c~sal?QZqi(6$ojg}N |Ik^ؽf=~kt~7r8LϙlWg :3AReKo iȶLn[}|l t]{ !(PUc0KT XHul>/ϗ<'^Vy ޹ 3dEʇlnIJ*mf~!H^+YWG7x__t׭ [珫ܸz#-!2i_ /5,P6l*U{V7fڄ u ce&.bx՘SA1? KrьFD,͒MQJ-#qZq QԲ [V+$13gQeem ^S`6CP%{ *Rh*m<[ (MQH? '*q%M νCC]H}}­*_vrtrp?8t+Cj7"\E 8%FmjxDsH@<*|k^`WvK KW9N۳ԥ<{M񟦂C!,qcz6Uj{Xw&Sd5,$b_!8M<-GQcpa̒9 Mxx.K1Y/^ٴ*~" k PBmۻcUY2+Jw$hpogsnL95!XF߷ )QIpEZs>gǤƍ0Ü~0Qztq#(ȴ̮Wnʥ9mV$ص#-[i (9 5f3ft7<*jN @i{<.M5q)ReSנ+:9#y{%9:~.0'{A:@Ix0Yl*ow<@7=U,Lml)n13L뺹\Texcyfz)V;CUq QG\?PK+ӻ$Ӣ۠鯉UAׇcka6?ht Zp{Po^5}O!C(;L%<zn/zl \&Bn 1,Z?r"= wZ˟~ڸf:A~S\w{k?4րʜ}nG7GrSL`IAJwZ+QXcl۴\Bm'횎X #:\:` g&" J,*ґ^ 6jZ`jݧ›)Y v֊%<0'f$MwR7Pծ!)Z^Y(ٽp;m^ݛ~DQ=_!㌼. ѕ.AjMؘBǀD> ym1#m1q_좪?0S?igո3?+䥿 0sS  BKC)H ܚ"@p0t?1+0W ax{i;EvHIvtP|fS!W٤ H&a΍;(ߨEZn Yj$"zh>PH3u%Z;,/xar0KN4`s ;veaUO"bDd.;Hm2Gڞ W!0g׮$+s_`r'-ut6iVԱ/{^rGAIπ @ ߁MW:ZZ,@)eyoihAA/%7@GqaDZ+s\'qj.Ha(wZRm {A=YIz+*A^m1|V̢׼_.FΦݛ!4ןb b+zXcr7*ӎ/ە<Әv>U"Yv|*ϝf8dFP1LZ t_:6-g6"̹2*S k2E :!ۿ ړ։0RH:ś0J{Jt:Y~ĶJ|4ZH#T ͏jaŋoX>2'!Om|+&VD3,X/sBD;2a0$' ~Zgh7IjevbO$qƯ[ZГi .b2Lcը5"lG~8 K)&Hz#Sl;l]T =D&EԉGQ֩[ƙ T?ߡd{)JA` (e^ O8D8ƍxIX!D"I-δyr3Ѵ69$n4ks'j{{ܪIC^? J9r7Un{sB,;A ظ@PQd4)DRnNGKrn$L {dӊ9 K)z~FL7o&n4;akk^lKX{5-O: U7D bLZa(/hSt,1D GO"Z(L,V [k5DoBmYy kܸ6I'f,"1׃}K*T.달/Žʏ輪@-+N}b0~;3j+xh%&2$OHa,7e;N$':p2@4d熆b31@Ec1 o<~ɺM:ۃy|]Ƶy=ttI e1~t Oțߦ)4+ӳr#:FNT;-I^ۄ&.{ȬȧRLR9BemǼ6(tȋ`a!4q@z\;!YZW뻞?mR`S]ܬd|.MFS(mkq'Oy?c|AܟP8a%|eurY˃q\º,)镢pj0Iy6ٹBkˇBNȹ\M`Ub-6v"џQ9siYzJ,ѓQrmɯV>z گs,leWLXgʿ5 $Rv|5',:i#hEG8S4E(J1Z-wByUd' +8}-V+ jl?Vdˤi\3oCSEA:\éLYJodBkRw34I|`Np}8SP)s6l5T^2y[{^MȽ%V磓 az-V nLh,|%rUnu)gp_|~k$7=B9oǾx0cm75Ӧ%V94}HVj>8X1 t\2ݽ `OYO QAGŲmYsp-2S'/2šDLښo2(X3e~Eo[bԩЙsM& ba8HWLtZ!?Au&6P byh㢼u)ګjlvdPtnɨ1=qI1YB?|%Qş#)5D%rdۃxyhL];m N ]'b丒mt<.{LKq@1B`\UYl:t*#,| vA>3̢Vrh)iG].+z |*)tF_T,i+\c " F $D݋k^9PXg-%ԡZ_!RIqF$`)opB8$^/c 7JK˷l5ݎV=>_5P 27#GDONd}jH9a\n[ 8,]?\m9$+8FV։"MfdK0*$"D1B ۬969GQGanv$1p$ŃhG^TLEz'K} ˆ"̲5i޷aX-ӿҔլiރ\h53jz2΋p:M6LƎ_/NyosO&`sόsL#+{#t5ڿ6KM7&6jW귙lTjꂢ`?9(EuFdښwKtTB%m #.;[#lJq QUh^̧8nw-8 Hj#>Nr/!z҅KBP9+~SCDaq_@%& ZG>ioPjO9PȬ'dڔI32xcsTv ſmY<?|pɜE$i$tL|iCcpo \ ZCuQ|mQݳE賧09l!5E@ÿ5Vo1]`4FcV"*)n@!_5\G`2-.15LJO>nvlw`S#}dp~'N%GTEtGHBT!I KWԷO[PYPG;͎Ch[R10LT~XFoا5>bKc;G%|mhr ƾif 49l։NwNx%H((`cV/Oln6FiT,(!ݶey$QH R^ЋS, 2cb`iA1پ9Y4rU|7pH9 OX֦C.}gDlK5̑g[sI98&V{n- }dX~}}G;}7߉Mdqn/:f A~<=c1r"+ZyѾ} aH5웙n}q-f$^!v^[ֆ gCL?rã|SGr09GP#~6S_~GHO7 6D8Tz$).mSERquԓ o= ak\Y;n~9kMVY=$  n'w"‚sB &8-;1}BgET:nrY4͈PV7 | 5{_:i4h|M0,Dm XM>Ҏ2"D[-˺D-tF d&v _/he:'^-UJԏh{XI~H#^}7|F|ǦfRgzp SՆQQ'oOBE$D.:[FpgBFoD^M@]2vtC=%Ud DhiE-;Y(dBQ5ʤ){ >"W@z32Sdz#'vAaE+ !HǐfHTCq1-9/D~Yr<ō p"-E40 $D}Ӳ.8EN꼘rqҍ5S =+F{/fnh$^l@r~0tfpgCdkpO@U*G,v-q {`۬3,|(bcu}O[]e#e<}*r_@#n [ ݬXۇI{%=H\?B kW 0 rrFKWFbVպMTv*k/}G 3ڛ*EEOTKP)%֮s< k*x%Yx=7!ӯNa*£U; fX߰u3:!LT$N$q4t7=Un+\ 5k0Ip)(u3VX?{%ֺS,T=(9^EV8\@ Gc& ?SҘٿuጀaĄ7ɡVKjӄiC'$7D3C "P ?4d>L)<_ a!FȈ8B fPIa4`1j5w p(w{4؋8 ٹ/ޓxyHOFy8kMhiq1|P{ojD'}wܥ@  d\, -ܷ_'oNct",z_<+V_F捥~-.{>b2u#-+CD z?JD>7Nǔ4 -|P(c>%- &#z~7NADfp).y!Fs@S/Do*J? ۷d۵tq*L7-FI&A9!F7豲U)7nP >+11~ ?j8¹jfRB/Hƺ&R[wXNgҒ:~QJ&vm4q*uckK{n!-YoM2" 1*tۉ-gM# !5лs@W;`H;THw+5Ybo&K!Gm3mi,5:*e$ɂKm2,#ϛI4n͔v:ݜ3r`xL($whWIE$ӇãvZQ_ʎt =˄ұc?$wMXEC j.>C3ao+Ix``haNVٯ0tP?ˋ%Hz}c8$#]qWU3% ȚX}? 03ޙ#X\1FJi J4+n#D=3]n]|G6;d-=j}ٱښNr`9Q@%sr(ڋY*?vE5볔x#s:ṽPozfmȪ_0'zh xqB̟ f f]d(R}lָ_*Ժ7qY, (9igaf蔝03Ly =V:Z,ق;rU%`%9L8֛nF 4'IK-4yZg,H:Ή8Wp7LQy&S6V=mo6R euCX6̗H]URӻm”^{gS5Ill39Αn3GR~l9vXƬ ;1 kȍmm5$ Gx5ReCۯ{i xt8~eUD)fA o l(5Ğ"7>]07"ҬeyFRo5K5I͖'H*$um%쿨.8$PgD*0Q\!WX@%n9h*YVT3RT J poo#BG:1CfbKw3$~pjږYrRg (XȲ8_ϯT!bR0!yڗiq#$H«+p @ℰ9QX`qAոw,„B1HKa" Qp}bف+髓4U&;EJ]S-6S0N c:5{W|?"w[$~"o(7[oU]R: [y'uoYH$P$ 뜨 |:*{㶮G<)ExZ.ȏ&ʫ IXhP*k C` הg#h2_Rp)2dHePt?@3͊N` ZJ{~`~I-qVnAHD~1|E1X:1f+ xv`ra紙# 깸%VbRfn7y"`M d.iS: !#Έ3O3+=mӛÒ1)}BXVDp' B>$|T;az׊IMlHxH0ٓ=^˝|NO޺ N V܃F LP|.NU4ᆴ8쎤)əw:P7s#asMhJpۛ46)ڌQ?"'{eyk䀺wKTV4Z/LǂF-h2"Uc1c_]x[[? Zm{/c\\)e2VWX!P󟱖u/iO2ۣ3dgؓc<:@*h y (O[d9T|5IӍ02A#`9ߨ?ˊ<V$wt_@!1So*A딗w :TZZZ()>zR$'k8tl>k3dFW|,wņI)L{uX8:?'Tpzܹ"NNM\%ךȤ@8h춼zoݯحE !LAw@sn[xZ~pvW844@k e0M5V[:u-/ʉe!7"XDζ>\*1ze2<,7w?G=?0?pk c$QJ:BuLǮ~%ڮ&Sm4˷I*ZӶLg rZK曆>RnEt>1]cp^y!Joͨ 6,}HhM(4 VkᅢF7hۅY@? <Ԙ ̜'[l|n.0?OxKɴMǂYIXļL} Oʔu~ j)\(K.\C þ$Yɻt}]~B#JZ%i6Ÿ'vM0 (Ep݆M;(Jkq-;_2Ws$Jj`|X־{FCd@;mImg%6w͸~/((2 v2Z?k~~GEiٵbZmmnRm)yK:9k9 Q`H2&T﹤qPd؋hI` i*nAszJ } 6tqHk ~6^Y\5@?e$`VR0a!-,#[Y 8scRGp`!庌j2CvHdNA4We6}K~5_QP(/me27'iC3-is_9p[ZG7Z*e'&tF E/HvP$5(| IKTN%Qwo`(ia',Ցn菏ʴQтm}@ԬXw&o8v}FFZmW@QMaz}gt51Ռz+S=-6ɿHzf响הMx#ؙ{Oz<1#Vʈ~Fe:V(\%%Eme!CN*emއXyc^}~;c~p=7umɾHBBk%'zҼ_,fXlG7 ;A!>%ztnw֮Nb[E2:۸DŽvqN8ь̥gs3) YL#8!L;ϴ{cl/.)ܬk uS3пYvek Q%HSl|y7k¨h2?=M1-i;FSWm ];`̍[ݘ[=/t<|c͎ΖI=`T VJV V[0nqC{\x,"Q '!iH ކxfsTQBpŘňHF{8%*Y RhdcItRζˆ6Y?q.9w-41KB[ c.vM>>UD[VjŞ)01ВMHFWM()naʤIߐ$&v75LJ[F6Kw 7NQ~LlIiJ řBߡM=k4!iXX7ؠ(M3/}i9ND:UMleBobl2Nlp̜ssO ҕ3=91VuW5':  DĪpɁöHfn[c,hvy68Yv),1~Ddu<ӵݷPUF,UOM< aR>ܖM[T5ܿoOwOan3D7 X >/bP>1<',ol K:P"̕v|scH%.fJ_ԣV~t9TQp a{]pnY Xc8rzA^B?EL:JL@ًIX3_'mΣ[֘ ]Rl 4({R:kN! #6N }=,T|? Xܴ4ڍF`s$M..@% y=,wl%q.nŌ5,҂ȻG@J0OaE{oc(X3" ke)w{qZp$Q%{;6-]]Cڿ~lAXOkޞvZ_e}9W,:>rzSe̦Js=z/xWkg_"GܨFu-i-?ȼYO&XgJpo _u,#$^3@N6f;#be(@][[pDUu3Jyʸ96Sّ9}O_5Q`ogJ,z,, 9G2ntРG a Nv "0jW"ܧi>S^-̓xgp$P5=j *x[ЪBt{ET+xu²j 6Q Q3K>Fݼߦ.'So/\3p?0A&%BReKnL',tuc{))_9>|`:.+s@H# |ӻ|a`B5lG 'w"b栵i1!o15M7%>%_VE5hԫoʓXAY*&.] ?h4.cu؇reztq!t>= p Q!|<1 ^GǴj Ikqqrɪ,z3))]OpBq^P4ed*[MKYc 0UV@㔱f˦:}(nQqy&?;cWvEOK4P;A3؎ (R mZ NQ`5*p&dhJo{2:ϖ YŸDgEDy,0RU(R+G2Q~_,t Q<%~?=l r QsYN=Dm1o3 AH70O' }H,>SҬ%j1 swҷjGER *Bo.sv5ݠr)1~[I3٤zjx7?cGLZ?_z4trBEP["+PJ (8&ńPYal6}TouД#3??TPh="ZBG%xMk֋9׻Q Lۭvxd?af'j\٦Hr$`dklR![JO r~_WzH~J/3 ҹHH|v4;IbA!4˂x0/ ム',ݯ$bJUb%>Bdt iI9u&{qW -Knc h>-^=S cmb^g;]5iJF1-wh#IjbBF6 ^lH9,$nʲlZL/fCNPQQΘ߆OITJo|pAg+lq: j$6_,A{>uVP)R|ca|ƺm@gu<K}ީ$C>KvP# )?Wm%aa\>x]_3%n} g3“;iDmh 㓁x-Z"_-' jΦVIyQ9ў$8^x$4m2(#Bt&Ѭ.ޮX^G54."*~yDyxGC*jJvsTa<& ו[]z> naBMi-ŶY5sﶅ a* *HǻJ4Sz@}fљOh&={#AEb~zW"ȃܔJ6řB#s:N4ґpK~_%!$PH]JK *Xz CiNV5VgHz-6F'g X giodEbpޠ_}> PxV:vO-R{HaYWۮ䡫2GdG6M2z/aҕVq +8{@6vNOe\P)]>p0yC7XyMbD-^زVfܔaԭᘃUE;Mĵ`Sb5="=Ƴx'%(KƤi9mj 6{,TSuTXZ)&9]ތ.yzʋ@chtZ)*OGƆ8ehK6m.rؗg5J+$UibmvV_&0"lhNWb`r T9hx^qzzny8ojV 9Ek䦴jkc  |`p":OaңlCXi( 'QlL0Z#O >}v ҭb2\Ax]-V^dxw'xd@C6P6\6YQ1f>= b³5qq 9ʗ8/#xlRʽr5yN2JW<\f/$KؾБ!'bl䝭^H[%` I%&|l}V0y_OrzELп!S"L70_(5^Bl[ BϽlDV̹Cc(xF{9рsd4Ѓ#u}.{[yr/09eU`w<de[kBtEY !0E6pPbRQ57F~YĆcn'b\T e{I;4AHxԎ ^7N2C>~pp>0*t*vma4__"U.›1n]&.9\Q=k'lE[(guWU\;/_öQakXU ۜڛ>Ⰻ)6Im|IGp_/95ɰTpHRBEb%ʽT'iAӞ/!9`mѧ#X[T%NB, m5W=tamf.ɉ`Qn à,yoX)5Scj=ɺ%>azjc5A_J^6o!9v<6H(8B|=OQB; %WjklP{(^v >G+PH_KOwL+wO\oR*OR#e|srYG۬!9r<ܱv.~HvfiWx쀀p4P@ x$yԈ'0lS0tB'f2 oEcLW'6$@ 3"ա `1=7  sV>ԢYn,qGvyJ_5r#^J\}ab]>،УVFiNj/V4hS4Ȗ ӀK?>'fCaRm:d r;*^!ybV Vb^ig⦔,VxsXbF)mc4SSl&QSvj g,ap]ix[ocAx1/$ %E^9%A$LIAA90o x5G- ݸD7nA!/~ߢIĆMuj|`s(>g:/8KTy!`Qv{c^).} h G1>u4b!^ۻA#x9FyP\ޑɻ͔%h /Ēp^[2=z^i_'8U˛+bGЅ5b )u·BL󫒜~!F1 T;i6~fU"Օ{ZɉOD,?xV7;Džm8"@}L5k=*kjLW_ﮠFSB-THP ߶-)j*bnŎ ? + "Hf prg5#g G_| ?p9F1#5 |Zo;x֮+GX5> A>Dş"i.餫yʦ%&RظABRFs(UW猜6@Y.Ti(;)'EE~ `m3I9r~",lIFDb=өo0&AѧubQّCT;Әǘ}`>2P' >QLD6 U'r#ΌA|8OG.(.I{1I'!"*Zg-%,IJ,~E4R<5~E {>WpZɥvD9FF&st6A*$>دee O&sG*vG8q+1aA`>5cq|A >(&>n@oȨ8#yS! [[&q_R[=NL_Ƞk;.qj,Ҡ'냤il..s^[T(L jrت$N@+<+N(Ukշ_$dD*`O}l5_P=Xo9TIܲ숄%B55mPGaT ,y;R/ߗBF(!B?nq sBv\8g5r̶VyQgСwY$ᩤ4({W@[̣~Qvm#%= 3QAvp_=Ѿpm#NL*.x|eIN`S_2>zV@>A%=d(>/ot0$ȥ4rhvbn^b1Tߜ]|@%c O%F 'T9"/+#(J1+a\~BҡwQ%Rt>i1re\Ek~60Luy&z8#[uRQ(R_.b5Bdq~π}5~ {'Y▞ӎH P9'pbq`6똁$)Wԡr ["Hol  gk^Nܟy1UX@/Z3fs8SoE]7X+e m֏aH,WO$8vB|tր  po9ux?pVpхeתtu7aQjd*O~:Wȧ)gEzԼkͿǧWt eQ k1l^q3͂Ĕ.Fn@5mWrr&s `:)?yioq>k1ncn&ARȺ7Ӡ7U q9c%)jZzㇲ=KaZH 4fEOb*G*}>G" %hX CCxpFuD?.\CΧ;a^ o!t.F5ozOq[.="D7nˎ{9-pV:(eЅ CU`m:$k7y#V""ENAVI۩/oDaMquJʂ·͢Z.)(mbY4\=FApH]jޮ?rRe%}o#zxm4=zhuj ꒨SIoթk'9K!=&E3DIhk-8)1rffj<3*WkgSujWSE!VC+^zB+K:Cp(8+S썺}.%<vS_ܿfٯ!-]!'Э&!NɨzأUך"h9U.(MddAb[fڷ4Iepl*:ߓܡDPZvB9 bsA~vIQ;ChAҦ !7*л,g{{yβ64HW3*x- !j} @>z +I$Ht뛤~!0U/M|3Q?$QZɰ$S⃲oE5 FM)XO7bB(_d=Np xC/ڃʿ}o K!0hwǞޢɥ^ :DX7y9?{"vŲ*{X8*o~cXU XQb0%B*Ѣ7SO,]R~Iͷ= ] \[HLWETnL`4d,v`SQ Sq+vTz F;i$!Nۜn ecdx38-mj' hVHXVa?7}F>!ψJW^5X't$^ eW h^6ζ:e`"ono0Uc(b,< kJX)QHpc֦֝ c|"KeINv/2!4*۰gV襚o–RӻY0ۓkﺥy;fb=m?Ѭխ*8/%G^a0e=ܷ% 79-Ͽ) #^3sAT,T̯枬x"\kar~+M.W| Ej} v_%7zd}oTSGYG;<" 6#TEx2L!zw\FA䁪dj8wRXB \oZy_V2` n[+hk^CJbo8] pvts<]2*!{kmȥM([C00BeӲ9sE4Dר[`DVQ"VU!Rpse*逑P>~]y0GS0nߜ žS޷c }L#cyO>F$:&  uJ:zONำ_9SJdHjq2$q]Ԇ\';h/A9:,k|hp&6C0c"̌` ÖC' OHח'mb! eq^}2t¬?p4_>ye5fѸk&[}1-a5<0'g2H) e_!@>f ,wJ~ޔ#d;pϜlpIr}ZZKcqYRYdh$k-u Ei*}TLeKSTm SQ2f>ݽ>h+M,_E~% )C f4E&Spg ^)Clr:}oB$+Fڮ˝g5ՓdrPHϴ>뚚8G:e0?.vE[&!:꽒0EӕxlX>&'!Dϣ7;J\-88He8еk zGoap/ y$;F|̠BeSP.Eka1Qruwc%Ӏ: }&ĵ;h8GbꍷML8U|<)HzjF8 4DNU(yb8x(G#g}RYV@)h0M`p#+vZeRO?mP>5>eXIUNȺ-ڏibV6'i9R W?'lf4c O }W(d4t Z2"Ɋ(D[{_ځr-Uk$ç~9FPz8{sYҭ% NKzkwҡEL\*!gRenfT( X I ;07ȋBؓQ!k?nvLlrQ{Rbے6P[cX,Uf{eQc0nIp @o ><`vy%\W_J4w)|e?C8FWH2"c,R»\e;nu~Y6fT8UzIAD-Tw^94vB̺He;3ҋV%?a.y,4Pj_g*$5*hYK%O.(ٴ"LFJ9Bp섁kʯE VM"Ab(.a?_/qo_8N>^&[eMwD1FKƒܪ|ⱙ]f/[kdw&_e0}E bT dz!N6hÒ˫\89{?v|v/&m8#񂲯ZbͼR;q =Q̨ӡ2PjX͂?8Up#u(NGoMber\ ,> bbr֚lEuW e&_8i*_rbEz_9}GLfu7+oF!ƣxQgOՌ۟^>l&,cBe҂Hd@~Rf-,&in#sME{P@\qhG`43:}u+HvGR_F 9DZ2J% 5j A{6Or\XIUR 2ruԨJ n?%﷝LgxIDtm7of8ht_m%-s%al |d pWf\usIc'YF=#7Q$[J!3/y߃ScsVAZt܆HouC#A _9bpKY$}S'|c4Ɂwu&,\'A ASN.IWW_]7|CZgJlzYD2|)/PtfDoeL\V|ˆxIH@ ض@o "(;0`h+}# ў$b<? %+>3ԛ6yp5>iAjiOǼYw[H.qUg^]݉>~G~nvev>۸y\Cس6*1A']Qe;|K=ق8pϢ!-øb)Fa(̑݇iyLƭ mLIWkyYϞkW:(lx AN}1dMbMЦcv-˒]S[䎉1 Y C}Ch O7v#D,*fCS/ #0w`ʍ%)nLYJQ)q./%Բ7a>K ]`*-BʡŹ[UF9W QE^{:6&smJTaez(YlXAF҅F6'LƿsEJsIl^ct\UG,&–pYmB<}>!WLX=ƨkr%dz BWwjғa @/T1f1UJ(NdG*R&K5n!*7|W8%d)x:szBi{,Fx&C]ќLz 4[~vֱx1|;!'ltҒ3,wd"Ӡ&/Uj5+p.DAׂ&1v l\XעPvn0DgsMd+(Tm"UYnsA$Q%#yc2Sp#OWII(ҝPb&y ן2-57} ļhA T&h,h 1u7Ιh1vfGR;~X'Z !mb |ۙ8qoDYb!Lʔ0gZ-  nWܒm&"GCx!Kz7ZZ<4jטqQAҽiۢhWL(-mJ_1m~ TzI6B++~ga y%rV؈iJa1s'cIͮ>?޶g%.f=|2_W{ЏS\*`ON.CU ٰ-/@iAO~B~2fXHmZ1-Dhco0,uйmgIodk v>:A/CBǴJyRƥ~gZ0Ax^ݎnpYKPҔ(|zcC1+.׼ #X ;F]Q8ZpueNȑrd\l/ƵW܇iG(^1N|g`H aƜKAx}56G{*xgSV{*6Qy<&/SSz]+k,{> RxjV~D_=B^j-xu"L8^>=rA`z ߱!׻ Y57ܚ X2 s[U Xv(Yl>nPT_ƃ}˔_µǗ,5g`YTW!.bN`M8}řH8Em L.u=oѷޒHI̤~_xSSr2>SlvσS>7)?XCg.XRWS{PUzĹUNM()l"-JLC$K8:9) E /bb+`|KRlZl9n9vg2]{|T ƽcW.P& % GȐ2ahv5X/Q-bS](«ҺI(} ȣ6ǐcُfvBļG 5[GoT#y\ H̟s/ y'D> D[b ?Ȭə|6݅P vp>_Jv}a 1'aORe'2ݝ5vƘqnMpN̥kc ) Oxw&TNy iOٿd 5~&;1^.Z7 'QQJ`p :/eAW+q6^.yS&m=%{Sك"<Ҳ ?f۠q.im=?LOX7. tWS,/AJ6:Hn,{?+v5$kd{T8 XxSvI72@^?W4L"`ep'Q< +?( &c5a:Րծ(A3Vکd[6 e6y} ޟl ]ma}&Dq[vڻC^ g~ '~c U7)hmy%eonx3)W8*ʰڔ|BFt߹jBg8wR-QA_(Ђ:Гp*gY.ܑeK sv^27 nӤzL~ښ4!>*gAalĸNJh5blx)1.KE 4'w[?CAV }}n)ؠPr!e^INc3Edy@.X'B ha4^?09HӉ޹^R~GU@2\wN& @I0jI t>~"~9N*AئfȺXQ]i&I "WԌe['3 /4h[':x51D82,3ΐBkxDIJMe#M&ig5/8l0}s E%qm~{y^r,") AC%&J\*k ga PxDTo(RT8yTǩ^[L뛜Kav]ͲD#,_֏r)jThdy% IO3t!`iiSmt _) U N]R 4"H]hߖY;XbN>GSQI?c2hr %JYs+3ǖfC0l s߶\HoDLN5L2xbME֗PL XCر07,s[Xq1JqԸg+D.mS4d?Cd j;Ր7پ]AU#׭LNjkLva͗1L͚=r}TXX*Љכq_Hp‚ŷx)mŀ\\Cϼ+ގ:3] hkuc v+w޳vGk,ܺlM,ou*%TC~d+J`Y:А PU'ȫoZ1)fbAɗTı.\Kq&CX3㗁g"s)?'tn%įpbdvmZx^+8(:IK' J8nA@#va5U4*><)^[#:y eO"Q}`2f^ Jxxo(Np-R&ǐ+hYF>0^`/M w"# ɤD8L_(] G?`>у::]gGFV +a AψU?=V'4/J`RMa*s9EGeEpBy3.6"hGN.dJm:9Da?uW"tbse0q"yh|S@BnUdy0* &ؽnDJg}2/ޡu\l`2ݘX8$'&kA!Ku\iWP#2zDžF5 9f}' KJn̘@T3=tU]ctܙhr'*~ ̐[ VLxy"$v$9?B`!!# iv>Q x1;+EPrcഡf2Þfr3߁%<#at;C |J-q>GJq}1v*^?r6 q|8 C~oҪPZxŧ]b )ᛪ<7,!."HHpyT쀫|px|(U;{94J+eCч3aƈO]?.D\3#+\}=xA Yu>Y#oYv-UVs/(ĩ#z;X`;z-]Ral\clCº+,zIwE+ I7,g}KYR ޹8,U' /!7C ;"ƦxLNT`2t\Fc{ݕ\Xx5{„L"8]F'£.<&B;[G"݃J_WRѻ߻%9Fͦ[z]Z|ÿvm:l%$r]@-g Ck% l^`7ZI+KYQ$76>@tpa*̶"*ĸgǞg|*;xdKbyh6ZIz]XrW2][D/8p]"AEX\#?GVMqFD҅d*-/]9}rIシwNUr݆}ϣ0tP0wP"xNԊ+j;*'lwJM lljlIK,Ql~knQ1Ls|jv3ib?8|q@ʑ<N,nU/1l"@Ik{T1^K/v<̀2Z9(rI 6Ԣ\gԤLW ՜Sdup4`>Yڭs!\؈*}8\ݕR#ѲߊU[Q3ֲAqI]y^ǫ:)-kX]*iCER ^ d}ˏ! tӗ%3&!DtF9-~lPh.񘀍kt _{rW{"ϊ$D_c+:`"JP%]_|ܩd`tu|y*Q"\hhi\{4UZ>'Xm@)cmzj4n5;?_-%.Syý/`Z ?I*V0+Ži꟔xB%+~QQډ+iA-HK5cyp_IZ&A@rk k]%/CFδn_"vMZ#0KW췴zn';qqt/{w)-+:8w"B brjȳ% 9(\g]O=fԇ~ $&q '5"mLvYVdd i?%Fyt௷?sX )ws l)m\hqU'a H}\!h :wن-.;2/;EpjUf.4IZ~.5|WLHAX.Y䠏/;Ba4T2W2dT#Oim<ׄsPb !DAw'+ǹzKN@٢@T,@ xt՗-Z%r yfxfs}=D7kgJQQh>8.:.{m;7VXgKc|B?7#z.-}T.?b2Zk Ԑ٪,)!Q$Z v C,Do=ƭGxRހ~³KX[-zKƚىR6M€`SӲ$|S:9&O9YBkdSG\G Rs=v<{%L12r5%U_q|r=KVgOLvB:4;#3B=|6xH) BU}3)LF%C}S(\&|'brǀ\^rm};KwDkWSk'./rBnl `{Ž64% oE4ѭ B$vDB2,cz@LH.;p{.qͱ8Lc|dE+ uڜJnۢG_r#<FKI\<٘FJNvshl̓ Loi###YZA 6ض2:9x}$OyP62M硴ᖉ~md/,3?x}m vM5]'u"%zEs}P`j Cp|x2PWTg6K6 /e_VyH ia]ޕke4Nu` Sk<[V;D'tFrPOyJ!2ҾO/ LǎA> >;Z8?Mz5UfRV $APĕ~#:&pAWaFEO!xKuqEhqx}uӸ R#.{7`f(kC υ0_[hɪ >[ꍮ(G|\7sxM,=?Iڳxpʌ8NE0&%=x\H0njD'۷r#˦ҖHɟ\  s<}Zo\) lC&xs6혺Qm?c2u`%,_iabCPIOqa<P3Y álz8?WF֫ca@&z.ub'h~9г.Hf~5cx*ˉP9_Nk- F=EJ~aY:C_&wyokKh_9h1BGc_));?LqJZ?QmB6QDXſs$rbR@G}bsѕ ]RKlr DdīcLu*B jrHSXa 1²&ߤ0<`&'Yyr #O^ \Z:gƿC0|A'o$DΟJ٣KxBʽLsw䃃@oĝMp[^?FJlDR;2+c j#Ab(۳ebUeqmS䴮OAF`.QB`O"\TA S4r$z[ߺoM='͞p\M5!:P.;X׃W3F5#TR.V?W'8䌮*a}T&쑭I^QW] ;K6X༵/nu!dN-O· aƋ ' -OS&Ib%o 43 o!'exyDxkq>h!rxg o t, 1ňqGռ'[X OrHXX/8mXWFTk.('}64礇yC33}(Yf_3EyDlCZ`̰}֭ϟI}M y&X-aU ?!yJC؃`_GxD*vȝmOe #dlq&eY XXz[벦Ge뮙M|8GO"{k pȲP͢ Ks@Џ*+@W<jo0}9T-WH_A[4Vf?XNANU6x32M2b^ Y8>5@ަ Hs|c&r}'=ܕ`>3$naS=-+ݲ)e)#,R&hPmEe$H X:Zͦ>0fWj63@4'-9Ā}-kKL vYz6>0^j4""SQG<[SerE'T8W7ܷ_ p P @_(vn tT7Y3B)'R@zIkCusKRmOI35eG3/R/P[ CN Vׄԥf:4c;utJZ;˭\KP9=*OFhhElڝ^^PJlMJτ{]R8?93` ",htc:Xie'Z)k*'o `iTk(Q}Z7+cM*8^``=@l-zTKbdC2Zx0-kz'3q\ЍyP) 9V̹6,ئ\MVUn6WW[ڮC[Qz-:tx;HW90 [T{KRDlI;0k`M)XR9r~&e; dpN"Z뭦\Jebݎ.&LGy1 2,kng-} ;(<퉸('\A[h)AhH,@ <1^OK<Y>e[Fh` @y_ܙ}mWRX()sMO3]"rX Cts*y>+#XOͻTXn6h-*d<%R%OWtTB$O!}:jFp_re>;zrMGPY[/m''B O!|$X#N2 Gf"nM qt3kXX0w)a#V79|81&Β1~ .X*ʅ\Rʘ"[twHw.Y %}RM"{Oݦ~Prҕa@,!q8!x`qֽzd9nKcuK`1P"}Ԃ2B%sg//Ps!Jkr.P~.l=*#i: 4K=1w-j;.!VM6թ;"pW~$R?Qo,FMFa`A擜A@ W\E͒9~ikB$^<]!vv]Ll? S1}RKm-A395KxL\ȪIVH ;7{+W%ۈeXu|hA(ώxE V"¬Grr]S"j^Ga$(9ץgTmJEC />TʪIkoc~J,Z>Av)pLo*>ju6YnzEf49i@(f@H̷^8OY96r?08s4fR[o[l{{E\ge[zRC4Q-žxO q=eq8&8AohBS g)yCϜM$_rE=H SfޤV)Z=IR0jJcM&aC[$MBOe$ƛ̋@c4=MFhvbXt"A{Ըӥ|Jb,։J#IXT-0{[(^G&ƟI:?ķeYOHHXYW55܎QB[k ~\[H/FrD/砗t z廊 䕇yO4wz]Oa*B؊4pxzy܊,5}ᮮF@FT s9~j]V4#}p3lI6 iX4oi8m-Af Wo8@+zΝa3t-$GX-1l_[2I/brġӇ&Mc0-6]k.g (9[΁68pʮںMk)| v7]$;]hۍḦ́nRwpL@=Zr?ھ ]%Rt|l8Wkm)ۻsoky~l[(P[w%^ɀaDU74 ta|uj4ͩ\曆VWPI6b{sBL܏T}ӍL+I-pm3tEgO?_6Kd6yb 5~ecYZOaG_? )xK!Q> |ee˨)9qަmqO7 lU.f6:MMr+Rnty*h7t0]f;mGmj1Ų*pN UGj<_btb[/zE<TP3(]yG1Q3 ?,tL_F* /2Af`d 쎹*e˧gO.+Wf#E@]yi7lwBiġ`_d+9r/VBVI+q3ͮo6bZ97NETMyqV{ 4P ;ot!|E_X Q-zIU#t"^ao$:"Y3BNU.|?33^~'B]C:2": 鞏E2PMk!ߪ-O"AlLNyZ~y!փN8МmXpeCkogpL.04 alqKq( -86EǗ֝* %`_(Aїdx .Jb kLPOg?cZP u,~D@, 4 ';I0Xl/d\_ZP5eZuwo/RX|+<-063:V\o8pTj%)o8L0C݄[ ;"NҢG5᧛#CU+FKeۓ)EW`5 ӌ3CY `}s.3G4ֶ%wAwuʻ)ڙ!aV9}q:v=ϿdpZrW˃$x 81}'<-<%I~d1י;^kA liYޓ,YM-`^VْD@yMFqCI7w%oNx׍ ~]lEa"G&!+KsNv~ݭ+\R+Ml{/@S9,Ă~Z(m!9b8cBn]% Zt2SWG-")Jai2LLQ449ȾCDYb~q*[][z=|5jrEJh'j ?Ds9XT!!" W-;|FIŮp 5+:6DѰtYB5$-%l9~vTҹo:6SǼHH YZMU:oy,y!=#5Q'i©oco4cb*%j\Q-,p/ʑ3A jqZIvH )6c,+E YX66V/,U)bCГߺBףk6!u >\[sQ K>զ;Ar z)ڊִ\8mNalyZaSaӤI3* ^‹QG^eEsVvGZ^GQF›Qe GR{|\'ɫRl\ޖJ;+uOC ۷/@FY"ZMRw, ]*?h.'g@1Qf#L,`d';ʜL'j\UQC$8l ~MyH7cd?xqS^J(%Kqs&B=lFDu? ^ qb4kGO<.%T KAtBXBZɽwWrO R+%# sL.5MpSK߰q׹܀zY[ O~p bnRTH'?*bNT2| 5,gu9hn.m!^()^ʃ dhM)Z-mvЌoѷ/ @hzTtdSڙ, q?\2qn({°El-xsN$ZIbkѿ'8ϓd@,n3Hur6`tN."A bI| v*(o)v Yn%~M7R 77(ӻ˯E1a,}0wΕK.e!ކ!?mHNlU&1 Wb3ҭ%T%6".\vqL!S0.-|v)l'o Y"I0a'XwaǴ+Tn:ٗ/ݔmhq7 i1e@Wi^g^eT\DMc:-uv[M1֜-V B$K޺-e >RPR }g=@T(6R 6ZU6Q:TJ2 FB+uM5P-e{|s#l%QSo^ Ӝ߆ؕ7 Nyxٱgd*'oeK"A8bB0w־BO o_Y}in[Ĉs4Lw|g= Y3|}%T`b-mY:cbs6]ô@B]s&TFg,A/F6%UTyU;' }P)w|,(EVu`_w$,r~8FXsʳhs_+\˱oV$U0ӎFu5.jUIŞyڮ[u8( !@.o4ŭ#5od%J2y [ `PoJj0#$abU6=\s f^8a_jpkU3!_:E%o4IYb-BsKy02ڥ7o|Dymӷo}bN#~ZWԼJsҘFmQ1\Y4 ]a(zNTjcJS ݣϾԨpxVR4E=`@7%\|ժF`#ϲN* to⫧C@ߵk|jnlsHYFS˾Ij_Kw:^wk{K@x_( b%D#ݴށ϶=J} 77XgI "l8#t`T!~hHu"o10Q,sMK n*6 Np7TKQ=-fg>In_-q ,|K16FJ{ ?&t&L#"K{VkZi І#Ng }bhLH.N-.5$So7ڄ8_ev:& uLu/@P[`8h&u!_K V]).;l xϽ+zhj $A pL0 *F'3wXX hl^GX 4r)&`l HllFƣ$8AM[gVLeˌЅ+h4%t - ^wIZ$b*Qp;Sn!{hk2Ѓ5=̯7 CHiFmd0LjHuqFr$(to$gR$TjeFlV#r2#/rn9vMBt|/EQVBJN5ѷ; ]c /:5}y1sN'D2o4u>1\^R{SK J`[kr+o%°5 =~par^`s.*0 ?iмDFs {ng :mVzUkԗO6SLv'W\*)}7Hyi;US讁(TTK%޸> iBO F􊡙[F$7 X *FE~)zt{nSk"wHBVn7M#m|ɡJ*favkל>6#A2 M˚M/Tiv㵥[ӭKC-P~\fÏLόg- љ~&$R"kvT 5R;+FFP}Q车ϝC ΂ _ [rD_IfԆIނ VQKOn)vp2=գ vo!HJ7 M/O\3DNT8UY.LPsu\1p.zFC =+"J1[m>Tc첑+} ;G>"PaKց 0u4-k?Ul+&k[ʂ GZY22gTURO @\3 C|[EǀŽVK؎;Op3|F$yOys"t}~&9`LSFFyJDP`^n#>5?N{.1aGRew3P*zGSmzF(1t=`>R]UbE*()T.*R,C*χ~A-"yKR> 8Qn3W@l/1Xnm ^$ʙ3`D1&"(I|.JGAge 4[1ezd %pK^`&wn 9[ gU'Ƚ 9AnSAgkr2}X^+|g/ʸ^E]  grG~U{o=k^LA- "U`7Ecx`VnXȫTQ|Auv#VPSĻ@M Q~+&nҬ'񶱍gVGBӣջ{_9}l]xFPo+tZꟀ|:r81nO YF7Rd`O'6ץmH$):Gܺh[V|.j:)d n HmG kw7.(yVN<<'^.LyY]j*SMI+6KZMq^QAbCpTǘetV0{k}c1uXn~D%f.(9Ki !…'j_MTn.ʌAc6@#TStP!~GiƉ(5|p CBnʥH)Λ{-;ò!%F_H{oJ %\EU=H~~ Vyeh^M}b 4'P!yPv61u ʲ5 K uR*2\MrL\Hg8gs ~B_q fbhײRnz ?RY/ ,U6NpN:"%&&Wb4ɞK^ҙEMYvL5|7gy D#ڈJT khPLF9`QNKs3k3SgiR{_nPZ6@ɀݸȝzyͻ(={ l^lU3ɵn<7R_(^.. 9FiֿF?{NfYu罟!o)?\ Y$fğqT KWrRɞ9 S+ ΕzղmsF"gN0:JƃKZx*K+,8)XһS::QGv|B." yg !Qg-BK=z0.Px74d{в7=k|ևpb:Q[/#%n{˟/־T=/AڳTM9 8 _8bk4-}&Pf`\[bcw{JS"*/IXm#NW!',q2DF$-.@OŧLcMjބLF)Q3'ǯw Q8FWJ}d%k8$g%x㻣?D5Z[h{UN;X)G$ad=VUPǔ{#L?T#Z%0wdVdrhkym˅@lD qplG=]vu-͗1w{vR;a3=:XD(.1@ t1z Y܃yaN.pW>A/Ni9!GnVƊ뎒 T y,d#ɦ|&RCfj9v~c oKv+h$!k*8Z^ȄBx\NJIѫ[䈌j3[GS~.ɓ-~|ma\^Hg616JZp  P_g7/mշ b.412)SٖsVWGX} yr_p=¢4sX<"^r壶[E ?;i\# ucZzKƊ[T|z5G lдRy+2 -> 8jwd]M&4wcZV.1R#Pymw3ߖC*x7V\z+ow n/G6Ƽ P@/h$1(Sώ|Hп}S[_j.rߏk a2w͓Hz w\qez^<`΂)c'|c/M՘w"lʽl. (%b wM2uD}xZyީZ` Jr=aHh4f:E++/31%,( \ȃ=BRd%eA _2Jx|LQzSUaNIݕjުr"1RvKODhEf _o<*cna4ьH@ۇc1?vVYdJut4{cdN"2CbAIm(3?v9-:{tOOtDY%XJ+uS::O*SU#);R0:Q" z[E~7nk9]Yc ;w;uv zaLRq]#yF2_rb9ɪέ([n=ECm7g47PR{a{_r}hP(WS0yUq9ߌ× z_{6O)+  ܃6zei7 OG9gxfrODQem%p /mCNi(_h_ E^YDN]B8++#Rp À_kg];#a/$kHlweHp]K@h3 oݢ n<1 PGtަ^tQ$ao/^OH!AW^Լ>&u AA{LE+%o?.du6ܖsR4s]ĿYIbTLhoi9(HZ冲ʸ-& bEaL}TV)P W[6c2]߹D)QbNՕSɋUܘQdsMﶻ&n)|;vLNF[]YC^hM0J fA]|;$ x9g!,cԹW;tmzt6n l8El F:F6݄8 .qbn6ؙ͟&3BΊl;M!~c9en'ѕS`J 4Dy:j&"AiAVu[1C@ )/K" j)>X7C)dg8h!?n=:.w507ML !eSjrfByYKQϽ>F2 lNrOpFzD}8n@!uKV7T%FP @;:er\ɱch1hw ݍr*Cz:ckC=Kʲr Uf g$ av$$DSkX,$(ϩ҄wiT/0pUӣŽ@0` Tm== '\V;GfQwSƃ{.Jg 8BXTJaG{J-9U&!*k 뵒IJͩ@Uqt׭Q8rp09T G*k6 Bλ,̶U(bƲ4dw-/i1Gf\hԮNJy}lFw2ym E Uie'udv(2!x)'B:0eX\uώaR:K tSlVpb 0LUʈei )Pvϖr!)(=]:3QJFa)@|DI<*ǽ~괕bH37 -b󇮌fap NlD~{ѵH֦aq8ɤ^GW8b;x-)h43h%R$cۆh% :p"?Z:-b^=r@(u<#2Ͷַ cj>zjmz=P{|y+aDbEjE.0[N87y*tPWXy`D7%krݾqbP"rB,ӋQ;@}η*Z̳T*~T<|q c+cۧ}-3*߼%h{oЕwUB2>3'ڄUnI{4 Ed+k`;Q5G<FRn#+*>A'z! fgO[ÛJS f?=1>~^ w/G: xQk ^8}',6.\-n] ZbTgHc!`^Z *H:dF#9vs]Έ*MݥgjQu(g" &v"!xi?];*#W36Yf5K1x"'b6v L.Y1q#+9`ʫ ! Հ2 F''}ϩDSώrHڀQozh(TFŷ{o|ub* u6-l]`?FG߄iΦ*:mExBߪj.d{rOQW|])`pwC S-JL=i.B6r_l=) g..^bn7W ~:#TA6=)9 q*=ƚLIfIT|EVW}3|YGC `A,wH1s[h?KycL:B ]L,ًWm% / ]gF0P6%Y҅4h+KS텬i1˯`G#oNznߤVfwY'V8v˒LZ0ĕuLǛ6{c0]uͲV"/;,[6zz|p|lkൾl_m>Hi*> pO,9(>{@AG̢H,p:xENr#T=U7ħ:9QLȠVm@X!OlRmo20&ՙHV:;g?ǩΌ< M/LϸCN2B;B։j>Ք*_]FF cEK\mfn]#X!.Mw,?}A{ Re=*_KP(Bar5R{1Ra (grզj:E6E2q4FvGajBaƖqPc[5db3$)ηOeY`0svQ8 $Y/3AAsMN<Q"%ߐ۷DV#UXy.cz4*5=!z"~4{|Z^!չcFOY:zBF"Q2'+ ў&0|9n c0!ĚA+C@Sr:'y…f‹5En~S! CgwTN!C#SOde2}4Vg## Wǒv!s=C74(P VKv5lZMi&z3!!ϫq6W GV:"u%^P*^pR[5w2 ߒNE&H"舭g{6EVK8uty%뒚PW42yζJ6!V;  BLc_)9 JWɹd;UUj}C.bXOwJvٴd!m7mFsP ܣCrUwb"GN76NJfj c}^z9-Qq#+NiE9y;kD s!B&neK)7LR~owKpFopzY ti=O{2ޮa|!߿p`2cRpwސtMj㩭c*G[Qb2 w"ҞUO-%aWlfW\̒7ꗽ5&sZ_hCT#%~?GVAc oj"xkd=XNX45[uI"iNb2q8fwZEi@ *7z?G ahzIG?u3KMOBc/aXIg:[u6tްie̼\r8KͱnUX#(a 9ޙ Z4*BZcERwN'N'z#Zr]_6 dc&9B]}X:]T7vm Io UԿ yrt 9Q;`.:c-Gl$fyjʭĮܐcS?Ε4Ъi@0蘊sqR7%3Z-fI?0/0b݂?85EUh]叆Z]mD-.1Es@%OrA9*0Ny/:^(HX=#?$nu,iJ|$&'5f=f1ۏ&13O#[Ez0݁m&[z5#h|0d#r>τb}AD<›߯դ l=/e[}>{)/F? 7D9.F|q# /&V ,~g:D_ IjoaP\GZ~ nuby'A1{齌Ha'גgw:HuC1c4]3NQB+9{$SS0d]gW؂hx25?o2EB!^ME 03l:z>TjzXX{kA5hNVIMO,DWBN2ښT .~?\`cZQc_[nl,/.4)nrI㨆ķ\1\ )ydx td’tq Oq!I@j٫Om&IDF\zKD_1|Zk3PW \21mCH~6KmmMX#E UY^e$HtyEoc G V]WY`D h3{CwNL wkvϓkO &Mu4-#p3ȹ,yx/``z<6;h₶OW)ຽAw9Q82eERts_Uo d9@_+HT΀K9I1gAl+V/ik χFl?A CY[gbg WAP9LnjxOT7t hHe0rQnL: at }[/J_:$9YzN=ߘK,bo*¾{G\FF/{i1ut >7]D@Bd* 3.=w pCL<0ѐ6O*Y((_j4!:eӁr>HX7%vkjlo7 - J Csg7bTjDMįbDL񛑕lS%tu^ %KGv<9h31 .D_`QS8=n.VZ{$dQzVkڱ-tq:>V/L[a[޵:o ~aIE'250Þ5J`-8xªy Doִ>wbq', )G[ψ\>&m+}غJDzt2TGD*2t &OH*;G %ƥ ϰ<`㓰i2|x ОX C:x˨RUPZ>;)QʱdN_@ZV"IËwA gw-6UpoJoVcvHkv ݂/+ b{s#`^Դ=:Ѻ(LmqLߗ+%N=o+`JuKѷ?wDoX.zV͡&GGxh0:4\#3 0H̘Xg-ZjZ?GIzx/ P7 )eJjCO|1]ҩَ5QʼnI][h7OLC< P8* yl2to}KT̺I)Y (w1k&񨨰R.w nt^ ȰEP(ECThW7@| mB^٨+<#%6ꤻQ5t'/F/1RG(W˪xUe?k2ZxUpU $LeXN:]b1O'ma+shn==@]:QCˀ*VE0~&# `?%ђH1/m&I|sP-"1"4?C)I+4cҿ9yY$F. uv_8lɢS{.¡+nΆ4ulzZT5<"h;%~L.] YMvz'ev5WW~% ]vXD 90*b;;*DJb!W&oTg> .\-ƄEoJ~[`̰-+ƹK= Ff]f `a45.JARjP@p,i:?ž06uaNg[uT`Zun(#z'vVe9TR9hc#tEǩMbyWX]mqwK.8q 6T#SqMd<X@4em)d<>otI @'̞+:m Nr(}/{ݛeAv %;qs9$/ձvqb&')9&` V1`a~<-Wm&dy+|)>}|o {:|r=cOEnăN} {w_N#eO2Sb^~ YG栬YߦU-·a)>smZғnGbN>RYsHKwSY)ŚaXJ@AAG RGRJxhB=-٘Oecz84S|0~a\F@O"Wڟ˴>Cm~o@E y0=F8ЊpQ:AtD&x*X02~P?~/0ݠYWT,7P\*QWjǯG+^΃0S_^vrȞ;JYRӟspR<R8c8}^T;+4 F'X4j܊5wfcvu2@5gRC~҄tsE㋊+ W "Lx2-$aR* RiW* 06> nƣwZ+U+.vڜjNnFo(=Aj!ۡ:xƹ3Gau~$|E~2T2{ _ب?tP2?؆s pq6PYu,TS G7uѡӥ Ԩﰲօl1)I׳$hq?̀քbUf5@lqpזZҲªAm=>lex8W|3g˯7[ kGò$cF 8$:cM#S7;cd"o ?f>f&ürߓR~.ڃ\'f<3/ޤjX[z#sKgJDЍ977~ujGyq&5-U2ޛMlA莏\ 1J(ߛQ,FVsݒ )9 07#=Se8s1/6Z`R d|HS~ "!حcxMo *;3"ϭ(fs!'A+j. VI}NC@:ϩcO^Mk&ehw/ +{juNّ 8Ȗwy*hQYOX|t%y=Mq۴*b"͟ 8l׿_ u,dI'xMF?JJxd3رsr 1fr $#1t~γ#J11_I劋cedSxP9uKMB`f9,.ŒVirwɕ206F_Sw\!fh'8'5k`yrq* V)A6A\ګ7”PW=( da,Kkp9rL[U4n'#]kxW'YqGxt\;ATE8Q=;;V҉@BP2LBT1+4DT7&rY]*!׶Q$Kg5` w<7eJZTsөG;PWA69~Us-=DdYɕ?]LoOiaIXkp \r ڇF]JN%ԣ9#@JI";\pS/4*#f/~޺d.%P(Clc!kG.UdH sqBڊ&j&1GҵfjuUsߤSY*,=9"gȾQ7/ 1y+?[M~ ,iE4DQ(Y_ q|M,NCf7^65{_&yTQ]TxX.ܠƯp=dCD>W gQi DTmC[h.P1;e;*yޯl Ye4~@ $;%` bIhLs n zBc2*,[3wƯ0yTrg3Zy9踾'MNԏK$R 6',L`?dCocO]$ur'4zoNԆd(cSƔ<0Skfkj`$o|7 .h9lg9lb ~\>~ݜF.̶w <%X 2 D"—O \R4S ɑ lI%{Emaw:8Vx m 0c=&W`ߙGݢΤT!@1a>X[h:~*?wLLM2aL0N&!BWӕ]U6jH810!xוyu/F =hA d-Nc->H5'iamfr݈`ǵX~4PD'Ke|Upht|m:Dy\#ZS(1q 9=hxS#/ &o5Uz G@D*[qZXjW83AP. Ս+1j PކiDW6ej$Y /JqPRb3m>N-Zr R[8KD=\{Vi< 'ׅT!\ƅ#{72ϰԏ_. bP,o>܉뾪Ijwx}6Iʜ R:ϰQ\s#{:(LH`7ImRo؟gxmVx GJ [JLUǥB]qr\@z3}ajb ?`x4;q6Y}LD_;)Ayӣ~(D//!;S3*hvx@v^8y]o$?ІFx"6ʇ]O =fdf;JDC3ƜocSYT ƨ19}ev6Jp>F E+Bz%nZ?ٳ!2g9JnTutqmelhӯV:gCV_L|R[lxe@q#yx"V]ayxw,|iȧ7kIٜ(SZ(vTU$ ?*P0(N-[Kq)>j, ]4?u8~]N_l b:n||P[W5R菃ouVR~}HUGA޸Ok˘ ^C]뻜&VI/E "?WPf|ݿti)=_?QLphlCücCqx"_ +u$lcdeb^pՂBnZs+[tQ+n}/Sp|OY":CoU .DM32Ndf?u"7'ߝG {P?SС77p\!XWk!_o MO!I^7ƿ$V~KvFWm8G`~KYȎX< \TOFgҀL~Nk 4BoƋ+C҉\^,ش꾞9WUgYkn4 Bd a|`8)^3 Ă?LXD<ϩC# (ȳ2~4^A& !K MpiZkCܛ'|6cEL%1֗@vanBUo^Xiap–|s[E1 1Z@>Um_ut9[)-/dʟR`b.m.#]v|v_h67{1 \b$~kYaIBe]Xćs tm x2%l{<]H#ϊT'$L!õ;h&H 0ߴpŻ&Q"wM&dCS6SOɢ-ߋ;gN @o4ݮc6_bHJ:[AYIyHJ+>| 0:cѼ]O "-(89 _ Q8YU&'nȩ(Hir})*XeFn̋n&K4-~4k\mi]]x/ fEFv&g22R^cRK ~K$ ʅN) ͧE,Lt@4~1mm=ZFisz8 F0Z DBK\ ] ]G}![ӸUʪɇܝyT= < wikGY!m,+((!r h \<|c%/;C6Em[?Vws|.MҢbAݣbˠPfw r޽2jp]jFҮ$9 ~PJĦa8jC`ֲ5RDc2r3;LO4TG-W#vZK.^EQv ø(ӂRͷ\ҹ/͚qc3;`^|~1h컡/;I !"t@05۴p/f8)r~͉z\=*ɬwNɒksNKй~J = \(`,=[? [5֮0@HMQPZOt<@AU=IOK6 [=֖=S`,O.DR8Ocᇺh!H@g0HV`#+pj{j[" ֵ Qۿ'~ 0?X&zJwbn2,G NjvfSĒCYugZ>=vGc894|'hdZL? V4#h 1 %(.Qdm&`ZįTZ: U;p8N:YEBEQ$в /-,BKY\(qL:fGD6BuC&?/@K'la|LO~JmJDB R5ϜςxҧM!lz YZ